Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How do I limit VPN Client users to just a single internal server when they get to servers with globally translated addresses?

Core issue

Since users hit the servers through their global IP addresses, the traffic cannot be stopped by issuing the nat (inside) 0 command to an Access Control List (ACL).

Resolution

Remove the sysopt connection permit-ipsec command from the PIX Firewall configuration. Add statements to the ACL applied to the outside interface permitting Encapsulating Security Payload (ESP), UDP 500, and the traffic from the VPN pool to the specific server.

For more information on how to configure PIX ACLs, refer to Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX.

818
Views
0
Helpful
0
Comments