Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN Client to PIX issue


I've configured my PIX (506 with 6.1 ver) to terminate a client vpn tunnel(3.5).

This is the configuration of ipsec:

access-list nonat permit ip host host

ip local pool ip-client

nat (inside) 0 access-list nonat

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host system timeout 10

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map paperino 40 set transform-set myset

crypto map pippo 40 ipsec-isakmp dynamic paperino

crypto map pippo client authentication partnerauth

crypto map pippo interface outside

isakmp enable outside

isakmp policy 40 authentication pre-share

isakmp policy 40 encryption des

isakmp policy 40 hash md5

isakmp policy 40 group 2

isakmp policy 40 lifetime 86400

vpngroup superteam address-pool ip-client

vpngroup superteam idle-time 1800

vpngroup superteam password ********

But I'd like that who are connected to my network can only see one service on this server.

I've tryed various ways but I cannot specify a service on the nonat access-list and on dynamic-map match address... because don't work!

Can anyone help me?

thanks a lot.



Re: VPN Client to PIX issue

what you can do is remove the sysopt command:

no sysopt connection permit-ipsec '

and then add the conduit/ACL for the VPN client address getting access to that particular server/service

Hope that helps


Community Member

Re: VPN Client to PIX issue

Thanks but...

How can I configure these ACL?

The packets incoming from outside are IPsec packets with the destination IP address the Ip of the outside interface of the PIX ? ? ? ?

If I don't use the sysopt I must permit the protcol number 50 and 51 and the udp port 500 but after... how can I restrict the visibilty of some service to my internal server?




Re: VPN Client to PIX issue

you don't have to permit protocol 50 or UDP port 500

Those packets would be allowed in to the pix whether you have sysopt enabled or disabled

Once you have the sysopt command off, then modify your ACL like this:

access-list outbound_in permit ip < private destination network >

access-list outbound_in permit ip

Hope that helps


CreatePlease to create content