Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
394
Views
0
Helpful
5
Replies

Restricting ports to VPN users

camillo_s
Level 1
Level 1

‎01-04-2006 02:58 PM - edited ‎02-21-2020 02:10 PM

Hello, I've a quite simple home LAN and recently succeeded in establishing a VPN connection from a VPN client 4.05 to a selected machine (192.168.0.43) thru my PIX501 from outside. Other local machines are not visible to a VPN user as intended. However I want to deny access to a range of ports (5800-5900) on this machine but all my attempts are ignored and services using these ports are accessible to VPN users. Find my config attached. Any suggestions welcome, thx in advance

Labels:
Preview file
7 KB
0 Helpful
5 Replies 5

jackko
Level 7
Level 7

‎01-04-2006 08:29 PM

disable the command "sysopt ipsec pl-compatible" may do the trick.

0 Helpful

camillo_s
Level 1
Level 1
In response to jackko

‎01-05-2006 03:55 AM

disabling the "sysopt ipsec pl-compatible" appears to be too restrictive since thereafter no connection to a shared drive (which is the main intention for my VPN anyway) was possible at all (pinging was ok)

my deny rules in the split-tunnel acl:

access-list vpn2hive_splitTunnelAcl line 1 deny tcp host 192.168.0.43 eq 5900 any (hitcnt=0)

access-list vpn2hive_splitTunnelAcl line 2 permit ip host 192.168.0.43 any (hitcnt=0)

access-list vpn2hive_splitTunnelAcl line 3 permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0)

as well as in the nat0-acl

access-list inside_outbound_nat0_acl line 1 deny tcp host 192.168.0.43 eq 5900 any (hitcnt=0)

access-list inside_outbound_nat0_acl line 2 permit ip host 192.168.0.43 192.168.1.0 255.255.255.224 (hitcnt=17)

seem to be ignored completely

0 Helpful

jackko
Level 7
Level 7
In response to camillo_s

‎01-05-2006 03:05 PM

both split tunneling and crypto acls don't work with ports, so i guess disabling the sysopt is the only way.

providing the main purpose is to map network drive, deploying a wins server would resolve the issue.

0 Helpful

camillo_s
Level 1
Level 1
In response to jackko

‎01-06-2006 01:36 PM

Thx for Ur response, Jacko. Unfortunateley, since I only run WinXP and Win2K clients in my small home LAN, this appears not to be an option for me. I dont think the PIX501 V6.3(5) provides WINS facilities on its own as it does with DHCP ?

What I in fact intend is to enable some selected friends from outside access to a shared folder on one of my machines. However since a VNC server is running on the target machine at port 5900 I thought I should block it for VPN conns. However, since I can configure VNC itself to accept connections only from selected inside IPs I can solve this paricular issue that way.

Anyway my interest was mainly a principal one and so Ur answer confirmed my guess that these acls cannot filter out port access between real inside and VPN addresses. So an additional acl relating inside and VPN addresses wouldn't have the effect either I guess ?

Thx anyway again

0 Helpful

jackko
Level 7
Level 7
In response to camillo_s

‎01-06-2006 05:38 PM

pix can only direct or push the wins server ip to the client, not providing the wins service itself.

you may configure outbound acl although i'm not a big fan of this. the reason being the server is still going to receive the packet, process the packet, and reply. it's sort of wasting resources.

nonetheless, outbound acl applies on the inside interface will work providing the remote user ip can be identified.

0 Helpful
Customers Also Viewed These Support Documents