Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

vpn client and access-list on pix vpngroup


when you use cisco vpn client and click on statistics you're able to see the acl that's related to a particular vpngroup, this acl is the one you would configure on a pix with the vpn-group blah split-tunnel command. this acl shows you the access privileges that you have once the tunnel is setup.

now first question:

can that acl be something like...

access-list x permit tcp host a.a.a.a eq y host b.b.b.b eq z

that is can i specify tcp ports to define which traffic is going to be encrypted and sent over the tunnel?


when i use the above mentioned access-list and use vpnclient 3.6.3 i am able to open all tcp ports but not to ping the destination hosts, which is cool with me. but if i use vpnclient 4.0.1 i cannot only reach all tcp ports, but also i can ping the servers i'm trying to access (this is not that cool).

is this behaviuor supposed to be like this?

is there anyway to let the tunnel only encrypt and pass certain tcp/udp




  • Other Security Subjects
New Member

Re: vpn client and access-list on pix vpngroup

in answer to the first question the acl should be

access-list x permit tcp host a.a.a.a host b.b.b.b eq z

where "z" is the protocol number. the acl can be as simple or complicated as you wish.

The second question, vpnclient 3.6.3 is different to vpnclient4.0.1.

vpnclient 4.0.1 creates a virtual interface with the ip address given to it by the pool on the vpn server. Therefore the acl that you think that you have written to stop pings coming in must include the range of ip addresses that will be given out to clients.

New Member

Re: vpn client and access-list on pix vpngroup

well, looks like it makes no difference if you use detailed acl or general acl.

finally what i wanted to do is restrict user access to my inside, so what i did is to use downloadable acls on a aaa server.

that worked just fine.


This widget could not be displayed.