Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
637
Views
0
Helpful
5
Replies

How to deny VPN clients from certain locations?

jasonhumes
Level 1
Level 1

‎04-08-2004 12:31 PM

Hi

I've got a pix515 and I've configured it for remote access vpn using cisco VPN client and this is working. Is there any way that I can restrict who can connect to the pix via this VPN...I tried to do this with an access-list on the outside permitting esp and isakmp from the public IPs of the clients I want to allow, but this did not work because any public IP could still connect and the access-list showed no hits on those particular rules. Any ideas.

Labels:
0 Helpful
5 Replies 5

ehirsel
Level 6
Level 6

‎04-13-2004 04:48 AM

Access-lists on interfaces restrict what traffic passes thru the pix, not traffic destined to it such as VPN connectivity. That is why the acls are not working and have zero hit counts.

Since the vpn clinet usually comes from different ip addresses, it would be better to restrict by configuring different policies on the vpn client.

What versions of pix and vpn client code are you using? For vpn client code v3 and higher, you have vpngroup names and passwords that can be of aid.

Along side of that, what type of user authen methods are you using? Raidus, local, tacacs, or a combo of the three?

0 Helpful

jasonhumes
Level 1
Level 1
In response to ehirsel

‎04-13-2004 05:35 AM

I dont see how policies can be used to restrict what IP the client can connect from. The clients will always use the same source IP (depending on what site they reside in) and that is why I want to restrict the connection to only these sites where valid clients reside. I am using pix 6.3(3) and the latest Cisco VPN Client and local authentication. Any ideas. Thanks

0 Helpful

jasobrown
Level 1
Level 1
In response to jasonhumes

‎04-13-2004 08:15 AM

AFAIK the Pix has no way to configure ISAKMP or ESP to it's interface. But you can get around this by adding an ACL to your internet router that would accomplish the same thing.

0 Helpful

jasonhumes
Level 1
Level 1
In response to jasobrown

‎04-13-2004 08:20 AM

OK...so since I dont have control over my upstream router, I cant control who can connect. Funny that the pix has no native way of limiting this. Thanks for your help.

0 Helpful

rvdoever
Level 1
Level 1

‎04-19-2004 06:23 AM

If you have used the statement 'sysopt connection permit-ipsec' IPSec traffic will pass even if your access-list denies it. So just disable this with 'no sysopt connection permit-ipsec'. You now should be able to specify exactly what IPSec traffic you want to allow.

0 Helpful
Customers Also Viewed These Support Documents