Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Limiting access for VPN Client

Hi Folks,

In order to give access for my customers to my internal network, I installed a VPN client configuration on my 6.3 (5)Pix, everything is fine, but, for security issues, I need to implement some control for them, thing is, in my access-list says permit ip x.x.x.x to my internal, Ok?

I changed my access-list to permit tcp x.x.x ....x.x.x.x eq x, permitting only the port they need to access my aplication, but it is not working.

logg says ?? there is not translation for x.x.x. to x.x.x??, but, if I modify my access-list to permit ip x.x.x...,

works fine.

What do I need to do ??



Re: Limiting access for VPN Client


You'll have to be more specific. Which access-list are you talking about? Do you have sysopt connection permit-ipsec in your configuration? Could you post a clean configuration and explain the access you want to allow? Thanks.

New Member

Re: Limiting access for VPN Client

Thanks for your help,

that is my config



Re: Limiting access for VPN Client

Okay, so I suppose you want to limit the vpn clients to only connect to your inside on port 1433? Is this correct?

I would start by splitting up your acl's...

access-list nat0 permit tcp

access-list 100 permit tcp

no nat (inside) 0 access-list 100

nat (inside) 0 access-list nat0

You COULD then limit the traffic with the following...

no sysopt connection permit-ipsec

access-list outside_access_in permit tcp eq 1433

access-group outside_access_in in interface outside

Caution: You will have to explicitly allow all your ipsec traffic from all vpns.