02-07-2003 05:53 AM - edited 02-20-2020 10:32 PM
I´m using the VPN client 3.6 to grant access to a PC on my network using the following:
access-list 80 pemrit ip 10.0.0.14 host 192.168.15.1
nat 0 access-list 80
But with this configuration the user who entered to my my network has complete access to the PC 10.0.0.14. I want to limit this access only to telnet for example.
Is there any way to do this not using a RADIUS server.
Thanks in advance.
02-10-2003 06:55 PM
I set this up and played around for a while and can't get it to work. The best I can do is stop the external user from pinging the inside host with:
> access-list outbound deny ip host 10.0.0.14 host 192.168.15.1
> access-list outbound permit ip any any
> access-group outbound in interface inside
All other TCP and UDP based packets go through the PIX's ASA and a hole is opened up to allow them back out (just like outbound packets are allowed back in without having to be specifically permitted). ICMP packets don't go through the ASA and therefore can be denied with an ACL.
You also can't use ports in a NAT 0 ACL, so that doesn't work either.
Sorry, I can't think of anything.
02-17-2003 07:27 PM
You needto tell the PIX not NOT to explicitly allow IPSec traffic with the "no sysop permit-ipsec" command. This will force the VPN traffice to use the rules that allow inbound traffic.
if you were using conduits
conduit permit tcp host 10.0.0.14 eq 23 host 192.168.15.1
Access-lists
access-list to-inside permit tcp host 192.168.15.1 host 10.0.0.14 eq 23
and apply it to the outside interface.
I hope that helps.
02-18-2003 06:10 AM
I tried using "no sysopt permit-ipsec" and using the access-list you seggested but the entire hole is still open.
Do I have to erase the
nat 0 or anything else?
Thanks,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide