Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Allowing of Specific Public IP through IPSEC VPN

Dear Sir,

We have a Central office which acts as a HUB location for all the database access from remote locations.

At cenral location we have a internet connectivity using cisco 2610 router we also have cisco pix firewall deployed for for security purpose.

We have configured VPN on the firewall for remote access clients who want to access central site lan with secured vpn tunnel.

New requirement is to allow the VPN from specific Public IP only and block the rest of world (Public IP).we have more than 4 remote sites who using fixed public IP will via VPN to central site for accessing LAN.

Pls advice with sample config for the above scenario.

PIX config related to VPN is as listed below.

!--- Access list to avoid Network Address Translation (NAT)

!--- on the IPSec packets

access-list 101 permit ip

!--- IP addresses on the interfaces

ip address outside

ip address inside

ip address dmz

ip local pool vpnpool

!--- Binding ACL 101 to the NAT statement to avoid NAT

!--- on the IPSec packets

nat (inside) 0 access-list 101

!--- Default route to the Internet

route outside 1

!--- The sysopt command avoids conduit

!--- on the IPSec encrypted traffic

sysopt connection permit-ipsec

no sysopt route dnat


!--- Phase 2 encryption type

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap


!--- Binding the IPSec engine on the outside interface

crypto map mymap interface outside


!--- Enabling Internet Security Association and

!--- Key Management Protocol (ISAKMP) key exchange

isakmp enable outside

isakmp identity address

!--- ISAKMP policy for VPN Client running 3.x or 4.x code

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

!--- IPSec group configuration for either VPN Client

vpngroup test address-pool vpnpool

vpngroup test default-domain

vpngroup test idle-time 1800

vpngroup test password test123

!--- To allow simultaneous access to the

!--- internal network and to the Internet

vpngroup vpn3000 split-tunnel 101

Pls advice with sample config for the above scenario

Thanks & Regards



Re: Allowing of Specific Public IP through IPSEC VPN

I am not quite clear on what exactly is needed here. Do you want the VPN to connection to your central site only from fixed IP addresses? If yes, then will you block all the VPN connections from the clients from other addresses? I think the access-list commands that are used in the crypto map needs to be modified.

Experts out there, can anybody say more on this.


CreatePlease to create content