when you use cisco vpn client and click on statistics you're able to see the acl that's related to a particular vpngroup, this acl is the one you would configure on a pix with the vpn-group blah split-tunnel command. this acl shows you the access privileges that you have once the tunnel is setup.
now first question:
can that acl be something like...
access-list x permit tcp host a.a.a.a eq y host b.b.b.b eq z
that is can i specify tcp ports to define which traffic is going to be encrypted and sent over the tunnel?
when i use the above mentioned access-list and use vpnclient 3.6.3 i am able to open all tcp ports but not to ping the destination hosts, which is cool with me. but if i use vpnclient 4.0.1 i cannot only reach all tcp ports, but also i can ping the servers i'm trying to access (this is not that cool).
is this behaviuor supposed to be like this?
is there anyway to let the tunnel only encrypt and pass certain tcp/udp
access-list x permit tcp host a.a.a.a host b.b.b.b eq z
where "z" is the protocol number. the acl can be as simple or complicated as you wish.
The second question, vpnclient 3.6.3 is different to vpnclient4.0.1.
vpnclient 4.0.1 creates a virtual interface with the ip address given to it by the pool on the vpn server. Therefore the acl that you think that you have written to stop pings coming in must include the range of ip addresses that will be given out to clients.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...