Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Client VPN - How to limit to specific host/port?

Hi,

I have a PIX-515 running 6.3.5 code serving as firewall/VPN appliance. I have many site to site and client VPNs working fine. However I am looking for a way to do split tunnel at port level grannularity.

e.g. for vpn profile vendor2, limit the access to 192.168.100.210 on port 80 and 81 only. Below is my config.

object-group service tcp-80-81 tcp

port-object range www 81

object-group network consultant-vpn2-dst

network-object host 192.168.100.210

object-group network vpn-clientpool-2

network-object 192.168.101.64 255.255.255.224

!

access-list consultant-vpn2 permit tcp object-group consultant-vpn2-dst object-group tcp-80-81 object-group vpn-clientpool-2

access-list no-nat permit tcp object-group consultant-vpn2-dst object-group tcp-80-81 object-group vpn-clientpool-2

!

ip local pool vpn-pool2 192.168.101.64-192.168.101.95

!

nat (inside) 0 access-list no-nat

!

vpngroup vendor2 address-pool vpn-pool2

vpngroup vendor2 default-domain mydomain.com

vpngroup vendor2 split-tunnel consultant-vpn2

vpngroup vendor2 idle-time 1800

vpngroup vendor2 password ********

This config works fine but upon connection, I see the split tunnel happening at the IP level. I am able to ping or pass any other kind of traffic to the host even though the ACL is extended and permits only port 80/81.

Is there a way to limit the VPN client to specific port only?

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Client VPN - How to limit to specific host/port?

One way would be to...

1. remove sysopt connection permit-ipsec

2. write the access you desire in your outside access list.

no sysopt connection permit-ipsec

access-list outside_access_in permit tcp object-group vpn-clientpool-2 object-group consultant-vpn2-dst eq 80

access-list outside_access_in permit tcp object-group vpn-clientpool-2 object-group consultant-vpn2-dst eq 81

access-group outside_access_in in interface outside

note: The actual acl may differ depending on what you already have. Also if you have other vpns, the access for those subnets would need to be allowed since removing the sysopt command would block their access.

1 REPLY
Green

Re: Client VPN - How to limit to specific host/port?

One way would be to...

1. remove sysopt connection permit-ipsec

2. write the access you desire in your outside access list.

no sysopt connection permit-ipsec

access-list outside_access_in permit tcp object-group vpn-clientpool-2 object-group consultant-vpn2-dst eq 80

access-list outside_access_in permit tcp object-group vpn-clientpool-2 object-group consultant-vpn2-dst eq 81

access-group outside_access_in in interface outside

note: The actual acl may differ depending on what you already have. Also if you have other vpns, the access for those subnets would need to be allowed since removing the sysopt command would block their access.

383
Views
0
Helpful
1
Replies