09-03-2007 05:14 PM
Hi Folks,
In order to give access for my customers to my internal network, I installed a VPN client configuration on my 6.3 (5)Pix, everything is fine, but, for security issues, I need to implement some control for them, thing is, in my access-list says permit ip x.x.x.x to my internal, Ok?
I changed my access-list to permit tcp x.x.x ....x.x.x.x eq x, permitting only the port they need to access my aplication, but it is not working.
logg says ?? there is not translation for x.x.x. to x.x.x??, but, if I modify my access-list to permit ip x.x.x...,
works fine.
What do I need to do ??
Martin
09-04-2007 05:39 AM
Martin,
You'll have to be more specific. Which access-list are you talking about? Do you have sysopt connection permit-ipsec in your configuration? Could you post a clean configuration and explain the access you want to allow? Thanks.
09-04-2007 10:41 AM
09-04-2007 11:30 AM
Okay, so I suppose you want to limit the vpn clients to only connect to your inside on port 1433? Is this correct?
I would start by splitting up your acl's...
access-list nat0 permit tcp 192.168.1.0 255.255.255.0 172.25.1.0 255.255.255.224
access-list 100 permit tcp 192.168.1.0 255.255.255.0 172.25.1.0 255.255.255.224
no nat (inside) 0 access-list 100
nat (inside) 0 access-list nat0
You COULD then limit the traffic with the following...
no sysopt connection permit-ipsec
access-list outside_access_in permit tcp 172.25.1.0 255.255.255.224 192.168.1.0 255.255.255.0 eq 1433
access-group outside_access_in in interface outside
Caution: You will have to explicitly allow all your ipsec traffic from all vpns.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: