Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Restricting ports to VPN users

Hello, I've a quite simple home LAN and recently succeeded in establishing a VPN connection from a VPN client 4.05 to a selected machine ( thru my PIX501 from outside. Other local machines are not visible to a VPN user as intended. However I want to deny access to a range of ports (5800-5900) on this machine but all my attempts are ignored and services using these ports are accessible to VPN users. Find my config attached. Any suggestions welcome, thx in advance


Re: Restricting ports to VPN users

disable the command "sysopt ipsec pl-compatible" may do the trick.

New Member

Re: Restricting ports to VPN users

disabling the "sysopt ipsec pl-compatible" appears to be too restrictive since thereafter no connection to a shared drive (which is the main intention for my VPN anyway) was possible at all (pinging was ok)

my deny rules in the split-tunnel acl:

access-list vpn2hive_splitTunnelAcl line 1 deny tcp host eq 5900 any (hitcnt=0)

access-list vpn2hive_splitTunnelAcl line 2 permit ip host any (hitcnt=0)

access-list vpn2hive_splitTunnelAcl line 3 permit ip any (hitcnt=0)

as well as in the nat0-acl

access-list inside_outbound_nat0_acl line 1 deny tcp host eq 5900 any (hitcnt=0)

access-list inside_outbound_nat0_acl line 2 permit ip host (hitcnt=17)

seem to be ignored completely


Re: Restricting ports to VPN users

both split tunneling and crypto acls don't work with ports, so i guess disabling the sysopt is the only way.

providing the main purpose is to map network drive, deploying a wins server would resolve the issue.

New Member

Re: Restricting ports to VPN users

Thx for Ur response, Jacko. Unfortunateley, since I only run WinXP and Win2K clients in my small home LAN, this appears not to be an option for me. I dont think the PIX501 V6.3(5) provides WINS facilities on its own as it does with DHCP ?

What I in fact intend is to enable some selected friends from outside access to a shared folder on one of my machines. However since a VNC server is running on the target machine at port 5900 I thought I should block it for VPN conns. However, since I can configure VNC itself to accept connections only from selected inside IPs I can solve this paricular issue that way.

Anyway my interest was mainly a principal one and so Ur answer confirmed my guess that these acls cannot filter out port access between real inside and VPN addresses. So an additional acl relating inside and VPN addresses wouldn't have the effect either I guess ?

Thx anyway again


Re: Restricting ports to VPN users

pix can only direct or push the wins server ip to the client, not providing the wins service itself.

you may configure outbound acl although i'm not a big fan of this. the reason being the server is still going to receive the packet, process the packet, and reply. it's sort of wasting resources.

nonetheless, outbound acl applies on the inside interface will work providing the remote user ip can be identified.

CreatePlease to create content