Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client limited to specific source addresses - Round 2

Using PIX - v6.3.

We would like to limit which IP (public) addresses can establish an IPSec tunnel to our network.

One reason (to help clarify) - if a laptop is stolen and the password is discovered (we have no control over vendor laptops that VPN in) - you still must have a certain IP address or subnet for the tunnel to be established.

Note: This is the second go round with this. TACACS+ and RADIUS understood. *Still* is important to us to limit the source addresses for certain VPN clients. Please do not reply with a refresher on VPN's.

Thank you in advance.

3 REPLIES
New Member

Re: VPN Client limited to specific source addresses - Round 2

You can restrict with access-list but you must first remove the "sysopt connection permit-ipsec" command. It overrides acls and conduits to permit all ipsec traffic terminating at the pix. Without this sysopt you can configure acls to permit the needed protocols and ports. Usually protocols 50 and 51 along with udp port 500 is all you need.

New Member

Re: VPN Client limited to specific source addresses - Round 2

Thanks for the reply.

By doing that then, all VPN's must meet ACL criteria then - correct?

Also, it is my understanding that the VPN would get established - but packets dropped if they do not pass the ACL. Was hoping to control IPSec tunnel establishment based on source address.

Currently doing this with ChkPt - was hoping for the same with the PIX.

As it looks now though, the only way to do this with the PIX is to do what you noted.

Thanks again.

New Member

Re: VPN Client limited to specific source addresses - Round 2

If the access-list is applied inbound on the outside interface it will not filter the tunneled traffic, only the tunnel traffic. Also, keep in mind the tunnel establishment and the tunneled traffic are using different source addresses.

152
Views
0
Helpful
3
Replies
CreatePlease to create content