cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
384
Views
0
Helpful
2
Replies

Restrict client VPN access on IOS 12.4

lanscape
Level 1
Level 1

I am trying to restrict client VPN access to certain ports for specific client VPNs terminating on a 1841 router running IOS 12.4(9).

With pre-12.4 IOS versions this could be done using the outside ACL, but with version 12.4 it seems that VPN connections are allowed even without having a "permit" statement in the outside ACL (similar to "sysopt connection permit-ipsec" on the PIX).

Is there any way to restrict the client VPN traffic on the outside interface?

Cheers,

Christoph.

1 Accepted Solution

Accepted Solutions

dominic.caron
Level 5
Level 5

Hi,

The feature you're looking for is called :

Crypto Access Check on Clear-Text Packets

Check it out in the Cisco IOS Security Configuration Guide, Release 12.4

In sort, define your post encryption ACL, go into your crypto-map and apply it with :

set ip access-group {access-list-number |access-list-name}{in | out}

View solution in original post

2 Replies 2

dominic.caron
Level 5
Level 5

Hi,

The feature you're looking for is called :

Crypto Access Check on Clear-Text Packets

Check it out in the Cisco IOS Security Configuration Guide, Release 12.4

In sort, define your post encryption ACL, go into your crypto-map and apply it with :

set ip access-group {access-list-number |access-list-name}{in | out}

Thanks!!!

I knew it would be something simple...

I was looking for something under the client configuration - did not think of checking under the dynamic-map section.

Cheers,

Christoph.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: