Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Cisco Employee

VPN traffic filtering

I've the following problem .

Some customer of ours are using PIX 500 series as VPN end point.

They use it to let remote users or partners to connect to inside network.

We have done different configurations both with IPSEC and PPTP as protocol and cisco's VPN client 3.5 and MS PPTP client.

The problem is that we were unable to set a filter ( ACL ) to the internal hosts that VPN client can reach.

We need to be able to filter per hosts and per port the traffic from VPN client's subnet and the internal network

Following an extract from PPTP configuration

PIX Version 5.3(3)

nameif ethernet0 outside security0

nameif token-ring0 inside security100

nameif ethernet1 dmz security99


name 194.x.x.69 ASSAP ! it's inside

access-list vpn-nonat permit ip host ASSAP


ip address outside 80.x.x.99

ip address inside 194.x.x.103

ip address dmz 194.x.x.209

ip audit info action alarm

ip audit attack action alarm

ip local pool VPN-IP-POOL


nat (inside) 0 access-list vpn-nonat

access-group from-outside in interface outside

access-group from-inside in interface inside


sysopt connection permit-ipsec

sysopt connection permit-pptp

no sysopt route dnat

isakmp identity hostname

telnet timeout 50

ssh timeout 5

vpdn group 1 accept dialin pptp

vpdn group 1 ppp authentication pap

vpdn group 1 ppp authentication chap

vpdn group 1 ppp authentication mschap

vpdn group 1 ppp encryption mppe 40

vpdn group 1 client configuration address local VPN-IP-POOL

vpdn group 1 client authentication local

vpdn username xxxxxxxxxxxxx password xxxxxxxxxxxxxxxxxx

vpdn enable outside

With such configuration VPN clients can reach every port of the internal host ASSAP , we'd lik to limit it to just one port


New Member

Re: VPN traffic filtering

The place to control that is in the access-list. You can set it for whatever you want to let through. However, Cisco recommends not using anything but IP in VPN access lists and not limiting by port. They say it will eat up cpu cycles. So you may want to try it and watch your performance.

Cisco Employee

Re: VPN traffic filtering

It doesn't worked as you said , I thought the same

If you put anything different from ip in the access list "vpn-nonat" and then apply it with the

nat (inside) 0 access-list vpn-nonat

you got a message that port and tcp rules will be ignored

New Member

Re: VPN traffic filtering

That must be a version issue then. I'm running 6.2 and I did it successfully.

I only did it temporarily but it did work.

Is there a reason for not upgrading? There's all sorts of fun stuff in the newer versions:)

Cisco Employee

Re: VPN traffic filtering

The customer has got a Token ring interface which is not supported on 6.x

But I tried the same , almost , on a 6.2.2 and got the same problem.

Have you got an example of what your configuration was like ?