Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Controlling VPN client access to internal netowrk

After asking through the TAC and receiving: "This is not a supported configuration" I will ask in here.

Here is what I want to achieve:

We want to give acces to business partner to a Terminal Server that host a home made application . This server is not to be put in the DMZ, it has access to too much sensitive data about our client.

So it needs to be put inside the internal network.

So, we chose to give our business partner access to our network, but we would like to limit this acces to the one machine and only the port needed on this machine.

Why? Because we don't have the resources to do Audit of their computers before allowing them acces to our network.

So if they have viruses or trojan, this would solve the problem.

I have configured a addres-pool specific to those user, so I can spot them easily on the network and use ACL to limit their acces.

My problem is that... how do I use ACL to limit their access.

When a VPN client connect through the VPN, how are packet are handled inside the PIX. Do they come from the outside, or the inside?

Where do I need to put the ACL to actively filter their connections.

We use PIX-515 v6.3.

We could probably update to 7 if it is needed for this setup.

We don't have a spare PIX so that I can test anything. I must test in live environment, so I must be extra careful.

Thanx in advance for anyhelp I can recieve.

Patrick Ouellet

New Member

Re: Controlling VPN client access to internal netowrk

if u want to restrict access of vpn-client to your internal hosts, its easy.

u need to configure noNAT acl, and gives acces from yor vpnpool only to Terminal Server and only to needed port. All others packet willbe droped by PIX.

Imnot familiar with Terminal Server, but if you give access only to this server, your vpn client can get access to other host in your net via Term Server.


Re: Controlling VPN client access to internal netowrk

disable the commmand below

(no) sysopt connection permit-ipsec

sysopt connection permit-ipsec:

To let IPSec packets bypass interface access lists, use the sysopt connection permit-ipsec command in global configuration mode. Group policy and per-user authorization access lists still apply to the traffic.

with this command disabled, you will need to configure inbound acl in order to permit vpn traffic.


access-list 110 permit ip

access-list 120 permit ip

access-list 130 permit tcp host eq 3389

ip local pool ippool2

nat (inside) 0 access-list 110

access-group 130 in interface outside

vpngroup vpnclient address-pool ippool2

vpngroup vpnclient dns-server

vpngroup vpnclient split-tunnel 120

vpngroup vpnclient idle-time 1800

vpngroup vpnclient password ********

don't forget other vpn traffic such as lan-lan vpn, it needs to be permitted by the inbound acl as well

further the tac you discussed with may need to "re-trained" again, as i learnt this from a tac

New Member

Re: Controlling VPN client access to internal netowrk

Thank you for your answers.

I will be looking into that tomorrow as my workday is over and let you know what came out.

Thank you again very much.


Re: Controlling VPN client access to internal netowrk

thanks for your update and good luck