Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

lee
New Member

Restricting VPN client on PIX not working

Hello,

I have a pix running 6.3(3).

I've made a Client->Pix VPN setup using the Wizard via PDM, everything adds correctly.

Once everything is added there is one rule for the dynamic crypto map (80).

The rule basically says that the newly added IP pool that resides on the pix can access any host on the inside network using IP.

I've changed the rule so instead of 'any' it can only access host 'x.x.x.150'

Save to flash and I try out the VPN, no authentication problems, get an IP OK but I can contact any host via icmp.

When the user is connected via the VPN, if I do a 'show access-list' on the CLI I notice there is a rule that doesnt show in PDM:

access-list dynacl173 line 1 permit any host 192.168.254.21 (hitcnt=11)

.21 is the first usable IP in the pool I've created for this VPN.

Once the user has disconnected, the rule disapears from 'show access-list' and is never to be seen again; until the user reconnects.

What am I doing wrong?

1 REPLY
Bronze

Re: Restricting VPN client on PIX not working

To me, it looks like the split tunnel in not configured properly. Use the following format of the access-list to configure the split-tunnel.

access-list 80 permit ip

Basically what the above access-list (used in the split-tunnel configuration) says is that permit all traffic from IP addresses in the destined to the networks.

This is a very common mistake many make.

99
Views
0
Helpful
1
Replies
CreatePlease login to create content