Hello, I've a quite simple home LAN and recently succeeded in establishing a VPN connection from a VPN client 4.05 to a selected machine (192.168.0.43) thru my PIX501 from outside. Other local machines are not visible to a VPN user as intended. However I want to deny access to a range of ports (5800-5900) on this machine but all my attempts are ignored and services using these ports are accessible to VPN users. Find my config attached. Any suggestions welcome, thx in advance
disabling the "sysopt ipsec pl-compatible" appears to be too restrictive since thereafter no connection to a shared drive (which is the main intention for my VPN anyway) was possible at all (pinging was ok)
my deny rules in the split-tunnel acl:
access-list vpn2hive_splitTunnelAcl line 1 deny tcp host 192.168.0.43 eq 5900 any (hitcnt=0)
access-list vpn2hive_splitTunnelAcl line 2 permit ip host 192.168.0.43 any (hitcnt=0)
access-list vpn2hive_splitTunnelAcl line 3 permit ip 192.168.1.0 255.255.255.0 any (hitcnt=0)
as well as in the nat0-acl
access-list inside_outbound_nat0_acl line 1 deny tcp host 192.168.0.43 eq 5900 any (hitcnt=0)
access-list inside_outbound_nat0_acl line 2 permit ip host 192.168.0.43 192.168.1.0 255.255.255.224 (hitcnt=17)
Thx for Ur response, Jacko. Unfortunateley, since I only run WinXP and Win2K clients in my small home LAN, this appears not to be an option for me. I dont think the PIX501 V6.3(5) provides WINS facilities on its own as it does with DHCP ?
What I in fact intend is to enable some selected friends from outside access to a shared folder on one of my machines. However since a VNC server is running on the target machine at port 5900 I thought I should block it for VPN conns. However, since I can configure VNC itself to accept connections only from selected inside IPs I can solve this paricular issue that way.
Anyway my interest was mainly a principal one and so Ur answer confirmed my guess that these acls cannot filter out port access between real inside and VPN addresses. So an additional acl relating inside and VPN addresses wouldn't have the effect either I guess ?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :