Im trying to control which vpn clients are able to create tunnels on the PIX. The PIX is configured to create tunnels based on identity certificates, however Im unable to restrict which workstations can create a tunnel. I have configured the no sysopt connection permit-ipsec, but the ACL is not restricting the workstations.
The "sysopt connection permit-ipsec" command will all traffic that comes inside the tunnel to pass through the PIX without another layer of access-control. Without this command, you need to open up your pix to allow specific traffic to pass that comes through the VPN tunnel. This command is useful only after the tunnel is built.
I am not sure if one can restrict the tunnel building based on the workstation IP address. Can some one throw more light on this?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...