Re: vpn client and access-list on pix vpngroup

Carlos A. Silva · ‎05-28-2003

hi:

when you use cisco vpn client and click on statistics you're able to see the acl that's related to a particular vpngroup, this acl is the one you would configure on a pix with the vpn-group blah split-tunnel command. this acl shows you the access privileges that you have once the tunnel is setup.

now first question:

can that acl be something like...

access-list x permit tcp host a.a.a.a eq y host b.b.b.b eq z

that is can i specify tcp ports to define which traffic is going to be encrypted and sent over the tunnel?

second:

when i use the above mentioned access-list and use vpnclient 3.6.3 i am able to open all tcp ports but not to ping the destination hosts, which is cool with me. but if i use vpnclient 4.0.1 i cannot only reach all tcp ports, but also i can ping the servers i'm trying to access (this is not that cool).

is this behaviuor supposed to be like this?

is there anyway to let the tunnel only encrypt and pass certain tcp/udp

ports?

regards,

c.

steven.wilson · ‎05-30-2003

in answer to the first question the acl should be

access-list x permit tcp host a.a.a.a host b.b.b.b eq z

where "z" is the protocol number. the acl can be as simple or complicated as you wish.

The second question, vpnclient 3.6.3 is different to vpnclient4.0.1.

vpnclient 4.0.1 creates a virtual interface with the ip address given to it by the pool on the vpn server. Therefore the acl that you think that you have written to stop pings coming in must include the range of ip addresses that will be given out to clients.

Carlos A. Silva · ‎06-10-2003

well, looks like it makes no difference if you use detailed acl or general acl.

finally what i wanted to do is restrict user access to my inside, so what i did is to use downloadable acls on a aaa server.

that worked just fine.

c.