Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Restrict client VPN access on IOS 12.4

I am trying to restrict client VPN access to certain ports for specific client VPNs terminating on a 1841 router running IOS 12.4(9).

With pre-12.4 IOS versions this could be done using the outside ACL, but with version 12.4 it seems that VPN connections are allowed even without having a "permit" statement in the outside ACL (similar to "sysopt connection permit-ipsec" on the PIX).

Is there any way to restrict the client VPN traffic on the outside interface?

Cheers,

Christoph.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Restrict client VPN access on IOS 12.4

Hi,

The feature you're looking for is called :

Crypto Access Check on Clear-Text Packets

Check it out in the Cisco IOS Security Configuration Guide, Release 12.4

In sort, define your post encryption ACL, go into your crypto-map and apply it with :

set ip access-group {access-list-number |access-list-name}{in | out}

2 REPLIES

Re: Restrict client VPN access on IOS 12.4

Hi,

The feature you're looking for is called :

Crypto Access Check on Clear-Text Packets

Check it out in the Cisco IOS Security Configuration Guide, Release 12.4

In sort, define your post encryption ACL, go into your crypto-map and apply it with :

set ip access-group {access-list-number |access-list-name}{in | out}

New Member

Re: Restrict client VPN access on IOS 12.4

Thanks!!!

I knew it would be something simple...

I was looking for something under the client configuration - did not think of checking under the dynamic-map section.

Cheers,

Christoph.

170
Views
0
Helpful
2
Replies