Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Restrict source-addresses for client VPN on a per policy-group basis on PIX

Hi,

I am using a Cisco PIX 515E running 7.0 and I can't find any way of restricting the source address for VPn client users that access my VPN device. I want to apply the restriction not globally, but only for a particular group policy or tunnel group. Is this possible on a PIX?

Thanks,

Tony

4 REPLIES
Bronze

Re: Restrict source-addresses for client VPN on a per policy-gro

Hi Tony,

You need to use the (vpn-filter value xx) which is under the group-policy configuration mode. The xx is ACL number which you use to define the allowed hosts to connect to the VPN group... For more information, plz refer to the following article from the following link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Please rate the post if it is useful!

Regards,

Green

Re: Restrict source-addresses for client VPN on a per policy-gro

I don't think that will do what he wants. The vpn-filter will only restrict traffic after the client has established the vpn. It will not prevent them from connecting to the vpn in the first place. Also the source address at that point would be whatever is specified in the vpn pool, not the public address where the client was coming from.

New Member

Re: Restrict source-addresses for client VPN on a per policy-gro

Correct! I have already tried the vpn-filter command and I can't see the point of it. It's like another access-list this time applied to the group-policy rather than the tunnel-group and it only applies to the already encrypted packets.

I also know that I can use the 'no sysopt connection permit ipsec', but then I would have to allow all the public IP addresses that use the PIX for VPN and with 20 tunnels and various companies/ISPs this is not an option. I need to configure something on the group-policy itself if possible.

Anyway, thanks for your comments.

Regards,

Tony

Green

Re: Restrict source-addresses for client VPN on a per policy-gro

How many source addresses are you trying to block? You would not have to allow sources individually as you could just deny the ones you don't want connecting and allow everything else. Maybe I misunderstood.

I think the only option you have with the pix is the no sysopt-conn ipsec method, but that would be global of course. Are you authenticating users against radius? You could look into using "Calling-Station-Identifier" to deny users from certain addresses.

167
Views
0
Helpful
4
Replies