Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
238
Views
0
Helpful
1
Replies

Restricting VPN client on PIX not working

lee
Level 1
Level 1

‎02-28-2006 07:44 AM - edited ‎02-21-2020 02:17 PM

Hello,

I have a pix running 6.3(3).

I've made a Client->Pix VPN setup using the Wizard via PDM, everything adds correctly.

Once everything is added there is one rule for the dynamic crypto map (80).

The rule basically says that the newly added IP pool that resides on the pix can access any host on the inside network using IP.

I've changed the rule so instead of 'any' it can only access host 'x.x.x.150'

Save to flash and I try out the VPN, no authentication problems, get an IP OK but I can contact any host via icmp.

When the user is connected via the VPN, if I do a 'show access-list' on the CLI I notice there is a rule that doesnt show in PDM:

access-list dynacl173 line 1 permit any host 192.168.254.21 (hitcnt=11)

.21 is the first usable IP in the pool I've created for this VPN.

Once the user has disconnected, the rule disapears from 'show access-list' and is never to be seen again; until the user reconnects.

What am I doing wrong?

Labels:
0 Helpful
1 Reply 1

vkapoor5
Level 5
Level 5

‎03-06-2006 09:34 AM

To me, it looks like the split tunnel in not configured properly. Use the following format of the access-list to configure the split-tunnel.

access-list 80 permit ip

Basically what the above access-list (used in the split-tunnel configuration) says is that permit all traffic from IP addresses in the destined to the networks.

This is a very common mistake many make.

0 Helpful
Customers Also Viewed These Support Documents