08-05-2003 06:34 AM - edited 02-21-2020 12:42 PM
Using PIX - v6.3.
We would like to limit which IP (public) addresses can establish an IPSec tunnel to our network.
One reason (to help clarify) - if a laptop is stolen and the password is discovered (we have no control over vendor laptops that VPN in) - you still must have a certain IP address or subnet for the tunnel to be established.
Note: This is the second go round with this. TACACS+ and RADIUS understood. *Still* is important to us to limit the source addresses for certain VPN clients. Please do not reply with a refresher on VPN's.
Thank you in advance.
08-05-2003 07:30 AM
You can restrict with access-list but you must first remove the "sysopt connection permit-ipsec" command. It overrides acls and conduits to permit all ipsec traffic terminating at the pix. Without this sysopt you can configure acls to permit the needed protocols and ports. Usually protocols 50 and 51 along with udp port 500 is all you need.
08-05-2003 07:51 AM
Thanks for the reply.
By doing that then, all VPN's must meet ACL criteria then - correct?
Also, it is my understanding that the VPN would get established - but packets dropped if they do not pass the ACL. Was hoping to control IPSec tunnel establishment based on source address.
Currently doing this with ChkPt - was hoping for the same with the PIX.
As it looks now though, the only way to do this with the PIX is to do what you noted.
Thanks again.
08-05-2003 11:09 AM
If the access-list is applied inbound on the outside interface it will not filter the tunneled traffic, only the tunnel traffic. Also, keep in mind the tunnel establishment and the tunneled traffic are using different source addresses.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide