VPN Client limited to specific source addresses - Round 2

rsommer · ‎08-05-2003

Using PIX - v6.3.

We would like to limit which IP (public) addresses can establish an IPSec tunnel to our network.

One reason (to help clarify) - if a laptop is stolen and the password is discovered (we have no control over vendor laptops that VPN in) - you still must have a certain IP address or subnet for the tunnel to be established.

Note: This is the second go round with this. TACACS+ and RADIUS understood. *Still* is important to us to limit the source addresses for certain VPN clients. Please do not reply with a refresher on VPN's.

Thank you in advance.

jboyer · ‎08-05-2003

You can restrict with access-list but you must first remove the "sysopt connection permit-ipsec" command. It overrides acls and conduits to permit all ipsec traffic terminating at the pix. Without this sysopt you can configure acls to permit the needed protocols and ports. Usually protocols 50 and 51 along with udp port 500 is all you need.

rsommer · ‎08-05-2003

Thanks for the reply.

By doing that then, all VPN's must meet ACL criteria then - correct?

Also, it is my understanding that the VPN would get established - but packets dropped if they do not pass the ACL. Was hoping to control IPSec tunnel establishment based on source address.

Currently doing this with ChkPt - was hoping for the same with the PIX.

As it looks now though, the only way to do this with the PIX is to do what you noted.

Thanks again.

jboyer · ‎08-05-2003

If the access-list is applied inbound on the outside interface it will not filter the tunneled traffic, only the tunnel traffic. Also, keep in mind the tunnel establishment and the tunneled traffic are using different source addresses.