Need help with ACL to restrict VPN traffic

tom.brockman · ‎08-28-2007

I don't know if this question is best asked in the VPN forum or here. Thanks in advance for any help offered.

I have a client that is using a PIX for remote user VPN clients. They would like to restrict a VPN client to accessing a single host (10.1.1.1) over a single TCP port (9000). The PIX by default allows all encrypted traffic to bypass the access-lists (more accurately, the PIX uses ACLs only to determine what traffic should be encrypted).

So how to restrict the client to only accessing TCP9000? There is a Catalyst 3560 layer 2 switch on the interior network. I can create an ACL to restrict traffic between the remote VPN network (192.168.1.0 /24) and the interior host (10.1.1.1). When I apply this to the inbound traffic on the server VLAN, it kills all traffic:

switch1(config)# access-list 102 permit tcp 10.1.1.1 0.0.0.0 192.168.1.0 0.0.0.255 eq 9000

switch1(config)# access-list 102 deny ip 10.1.1.1 0.0.0.0 192.168.1.0 0.0.0.255

switch1(config)# access-list 102 permit ip any any

switch1(config)# int vlan6 (this the vlan the 10.1.1.1 host is in)

switch1(config-if)# access-group 102 in

Is this correct? Applying this seems to kill all traffic on that VLAN. What is the correct way to do this?

Thanks

sundar.palaniappan · ‎08-28-2007

If 10.1.1.1 is the server the users on the 192.168.1.0/24 network are accessing on TCP port 9000 then reconfigure the access list 102 as follows and try.

access-list 102 permit tcp 10.1.1.1 0.0.0.0 eq 9000 192.168.1.0 0.0.0.255

access-list 102 deny ip 10.1.1.1 0.0.0.0 192.168.1.0 0.0.0.255

access-list 102 permit ip any any

HTH

Sundar