08-02-2007 04:52 AM
Hi ,
I have a site to site VPN and VPN clients
and for VPN traffic i got no nat and sysopt cpnnection permit-ipsec.
I want to configure port based access-list for the vpn client for ssh access to one of my vpn clients to a machine onside my LAn network.
if I remove the sysopt connection permit-ipsec will my existing VPN branch tunnel go down.
and can I use named access-list for the vpn client so i can get the ssh access ?
I m using PIX 515 E with IOS 6.3
08-02-2007 05:02 AM
zaheer, you can remove sysopt conn permit-ipsec and write the access list into the outside interface.
no sysopt conn permit-ipsec
access-list outside_access_in permit tcp host
access-group outside_access_in in interface outside
As far as it taking the vpn down temporarily, I tested this on an ASA and the vpn remained up after I removed the sysopt command.
08-02-2007 05:11 AM
Thank you for replying Adam
Will check that.
08-02-2007 05:12 AM
No problem, hope it helps.
Why all the 2 ratings?
08-02-2007 05:17 AM
Hi Adam,
Just one more question before i try it.
I have got VPN group for my VPN clients with split-tunneling.
and each vpn group has an access-list.
Also i have an access-list for my outside to inside traffic.
So will i have to merge all me VPN group ACLs to the outside to inside ALCs ?
08-02-2007 05:19 AM
What do your split tunnel acl's look like?
08-02-2007 06:03 AM
the vpngroup and the ACL for that is as follows
access-list acl_test permit tcp host 10.0.0.55 host 192.168.x.x eq ssh
vpngroup test address-pool abc
vpngroup test split-tunnel acl_test
vpngroup test idle-time 1800
vpngroup test password ********
10.0.0.55 is my VPN client
and my server is in 192.168.x.x range
08-02-2007 06:11 AM
access-list acl_test permit ip 192.168.0.0 255.255.0.0 10.0.0.0 255.255.255.0
no sysopt conn permit-ipsec
access-list outside_access_in permit tcp host 10.0.0.55 host 192.168.x.x eq 22
access-group outside_access_in in interface outside
08-02-2007 06:21 AM
so its gooing to be like my acl_test is my intresting traffic for VPN and acl outside_access_in is for the ssh
thank you Adam.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: