09-21-2006 07:56 AM - edited 02-21-2020 02:37 PM
I have a lan-to-lan IPsec VPN working (PIX501)but i would like to restrict the access from LAN A to LAN B. I tried to use "no sysopt connection permit-ipsec" command with some changes in the ACCESS-LIST bound to the outside interface. I did not work. Ane help would be welcome (doc, previous experience, etc).
Solved! Go to Solution.
09-26-2006 04:08 PM
i think the line 3 in the acl 101 should be:
access-list 101 line 3 permit tcp FAA 255.255.255.0 192.168.0.0 255.255.255.0 eq citrix-ica
09-24-2006 05:13 AM
what you were tring to do is totally correct...the other way is that if you want to restrict traffic at the ip layer and not layer 4 then you can restrict in the nat 0 access-list.
otherwise removing the sysopt and then restricting the access in the access-list bound to the outside interface is the right way....unfortunaltely cisco does not have any document for specifically doing this.
09-26-2006 01:04 PM
I have 3 access-lists as show below.
I?m adding the new command (line 3) to the 101 one.
Is that right or I should use one of the VPN access-lists?
Result of firewall command: "show access-list"
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list 101; 3 elements
access-list 101 line 1 permit tcp any host 200.162.219.47 eq https (hitcnt=21870)
access-list 101 line 2 permit tcp any host 200.162.219.47 eq smtp (hitcnt=2300)
access-list 101 line 3 permit tcp FAA 255.255.255.0 any eq citrix-ica (hitcnt=0)
access-list inside_outbound_nat0_acl; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip 192.168.0.0 255.255.255.0 FAA 255.255.255.0 (hitcnt=1339)
access-list outside_cryptomap_20; 1 elements
access-list outside_cryptomap_20 line 1 permit ip 192.168.0.0 255.255.255.0 FAA 255.255.255.0 (hitcnt=2891)
09-26-2006 04:08 PM
i think the line 3 in the acl 101 should be:
access-list 101 line 3 permit tcp FAA 255.255.255.0 192.168.0.0 255.255.255.0 eq citrix-ica
09-27-2006 09:09 AM
It did not work.
I even tried to remove the "eq citrix-ica" to test but the thin client could not connect to Citrix server and the line did not count any hit.
Something else is missing.
Thanks anyway
09-27-2006 11:01 AM
IT WORK NOW!
I added more 1 line with the UDP/port 1604 to the ACL (see below) and it worked.
Thanks once more.
Result of firewall command: "show access-list"
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 256)
alert-interval 300
access-list 101; 4 elements
access-list 101 line 1 permit tcp any host 200.162.219.47 eq https (hitcnt=22074)
access-list 101 line 2 permit tcp any host 200.162.219.47 eq smtp (hitcnt=2329)
access-list 101 line 3 permit tcp FAA 255.255.255.0 192.168.0.0 255.255.255.0 eq citrix-ica (hitcnt=1)
access-list 101 line 4 permit udp FAA 255.255.255.0 192.168.0.0 255.255.255.0 eq 1604 (hitcnt=1)
access-list inside_outbound_nat0_acl; 1 elements
access-list inside_outbound_nat0_acl line 1 permit ip 192.168.0.0 255.255.255.0 FAA 255.255.255.0 (hitcnt=1360)
access-list outside_cryptomap_20; 1 elements
access-list outside_cryptomap_20 line 1 permit ip 192.168.0.0 255.255.255.0 FAA 255.255.255.0 (hitcnt=3147)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: