Ciscio Pix V7.1 Client VPN Access Limit Question


Have cisco client vpn working fine to a pix running V7.1.  Now we are trying to limit the access for the VPN Client Group to certian servers / ports, etc.

It seems to do this is to change the IPSEC rules in the ADM in the VPN / IPSEC / IPSEC RULES.  The defaule rule from the VPN Client Wizard has

Protect for the any for host side and the net of the VPN pool on the remote side applied to the tunnel policy.  

If any changes are made to this rule, the client will not connect with no matching crypto map.  Even if there are three rules put in for TCP/UDP/ICMP matching the one rule that is set for IP.  The configuration has been verified that it changes to reflect just the one change.

What works is

access-list 0-Internet_cryptomap_dyn_20 line 1 extended permit ip any

What does not work is

access-list 0-Internet_cryptomap_dyn_20 line 1 extended permit tcp any  
access-list 0-Internet_cryptomap_dyn_20 line 2 extended permit udp any  
access-list 0-Internet_cryptomap_dyn_20 line 3 extended permit icmp any

Other postings have been reviwed, so what is the "proper" way to limit client vpn access with V7.1?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Can you post your running config from PIX?

Also, what host you want to give access to VPN clients?
ort11Author Commented:
Hi, the only change in the config are the listings above.  I'll see if I can post the none working config.  There will be several hosts / ports that will need access.  Let's say for discussion is a host that needs vpn client access with port 1433.

ort11Author Commented:
here are the interesting bits of the working config.  The only changes are in the access-list when permit ip is changed.

access-list new-west_splitTunnelAcl standard permit any
access-list 0-Fibernet-Internet_cryptomap_dyn_20 extended permit ip any

group-policy new-west internal
group-policy new-west attributes
 dns-server value
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value new-west_splitTunnelAcl
username new-west password [deleted] encrypted privilege 0
username new-west attributes
 vpn-group-policy new-west

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map 0-Fibernet-Internet_dyn_map 20 match address 0-Fibernet-Internet_cryptomap_dyn_20
crypto dynamic-map 0-Fibernet-Internet_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map 0-Fibernet-Internet_map 65535 ipsec-isakmp dynamic 0-Fibernet-Internet_dyn_map
crypto map 0-Fibernet-Internet_map interface 0-Fibernet-Internet

isakmp enable 0-Fibernet-Internet
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

ort11Author Commented:
0-internet is the same is 0-Fibernet-Internet, I removed Fibernet from the first examples
How are they connecting? Using Cisco Client?

Without complete config, I can not give you exact command. However in order to limit VPN Client to only certain IPS, you will need to use split tunnel. In your case, I see that

split-tunnel-network-list value new-west_splitTunnelAcl

is used for the split tunnel.

Looking at the acl it is

access-list new-west_splitTunnelAcl standard permit any

Which allows all traffic to come through. In order to limit hosts do this

no access-list new-west_splitTunnelAcl standard permit any
access-list new-west_splitTunnelAcl standard permit host

This will limit VPN Clients to only one host

As far as restricting to port, I am not sure if it is doable. I have seen it on the concentrators but not on the PIX.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ort11Author Commented:
Thanks, that seemed to work via command line.  Where in the ADSM would this be set?    


I thought that I had tried this before asking the question, but ????  

Thanks again.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.