Cisco Support Community
Community Member

Restricing access to services for VPN users.

I have a Pix 515-R-DMZ installed and configured for remote access vpn via VPDN and VPNGROUPS. Each of these logings works and gives access to the correct network.

However, I only want my users to have access to port 80 on one server on the internal network and port 3389 on another.

I tried to put the restriction in my nat 0 acl but this says that the ports and protocols will be ignored. I have also tried to put an ACL on the inside interface to stop the access (this works for vpdn) but the VPNGroup walks straight through because it creates its own DYNACL.

This can't be an unusal request but I can find anything on CCO, any suggestions?

Cisco Employee

Re: Restricing access to services for VPN users.

What do you mean by "the vpngroup walks through because it creates it own DYNACL"? Are you sending down an access-list from the authentication server? You can restrict access this way in a number of ways:

- Add an ACL on the inside interface that'll stop the traffic returning from anything but those two servers on those ports, going to your VPN pool of addresses. This still allows the traffic to reach the other internal servers, but they'll never get a response.

- Add an aCL on the PIX that only permits access to these two servers, then if you're using a AAA server to authenticate your users, you can send down that ACL number and it will be applied to that users session. This is detailed here (, see how they send down ACL=115 in the user profile).

- If you're running PIX 6.2 and ACS 3.0 with Radius only, you can specify the whole access-list on the ACS server and send it down with the user authentication. This is similar to the above method, but the ACl is on the ACS server rather than on the PIX itself.

Community Member

Re: Restricing access to services for VPN users.

Another option you have here is to remove the "sysopt connection permit-ipsec" command from the pix and configure access-list and access-groups for your outside interface. You will want to permit traffic from your vpn client pool as the source to your inside's private network as the destination. You will have to specify all vpn traffic that you want to access your internal network without this command but might be what your looking for.

Glen: The acl and access-group on the inside interface doesn't quite work. If you test only with ping, yes it does stop ping from returning which makes ya think its doing its job. But all other vpn traffic does "walk through". I've tested this, had to because we didnt quite believe the customer either, with 6.2 and low and behold same results. Put our certificate server behind the pix, set up vpn and ping with access-group applied to inside interface which read "deny ip any any". We couldn't ping. But I could browse to the cert server, download certificates etc. We also tried restricting traffic by port and same thing. Find out that the pix is indeed creating a dynamic acl to allow that traffic to return. Now it does block the inside from initiating traffic all together, but anything vpn side initiated the pix adds to its asa table and allows traffic to come and go as long as its vpn client side initiated.

Kurtis Durrett

CreatePlease to create content