Ciscio Pix V7.1 Client VPN Access Limit Question

Posted on 2006-04-18
Last Modified: 2010-05-18

Have cisco client vpn working fine to a pix running V7.1.  Now we are trying to limit the access for the VPN Client Group to certian servers / ports, etc.

It seems to do this is to change the IPSEC rules in the ADM in the VPN / IPSEC / IPSEC RULES.  The defaule rule from the VPN Client Wizard has

Protect for the any for host side and the net of the VPN pool on the remote side applied to the tunnel policy.  

If any changes are made to this rule, the client will not connect with no matching crypto map.  Even if there are three rules put in for TCP/UDP/ICMP matching the one rule that is set for IP.  The configuration has been verified that it changes to reflect just the one change.

What works is

access-list 0-Internet_cryptomap_dyn_20 line 1 extended permit ip any

What does not work is

access-list 0-Internet_cryptomap_dyn_20 line 1 extended permit tcp any  
access-list 0-Internet_cryptomap_dyn_20 line 2 extended permit udp any  
access-list 0-Internet_cryptomap_dyn_20 line 3 extended permit icmp any

Other postings have been reviwed, so what is the "proper" way to limit client vpn access with V7.1?

Question by:ort11
    LVL 10

    Expert Comment

    Can you post your running config from PIX?

    Also, what host you want to give access to VPN clients?
    LVL 1

    Author Comment

    Hi, the only change in the config are the listings above.  I'll see if I can post the none working config.  There will be several hosts / ports that will need access.  Let's say for discussion is a host that needs vpn client access with port 1433.

    LVL 1

    Author Comment

    here are the interesting bits of the working config.  The only changes are in the access-list when permit ip is changed.

    access-list new-west_splitTunnelAcl standard permit any
    access-list 0-Fibernet-Internet_cryptomap_dyn_20 extended permit ip any

    group-policy new-west internal
    group-policy new-west attributes
     dns-server value
     split-tunnel-policy tunnelspecified
     split-tunnel-network-list value new-west_splitTunnelAcl
    username new-west password [deleted] encrypted privilege 0
    username new-west attributes
     vpn-group-policy new-west

    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto dynamic-map 0-Fibernet-Internet_dyn_map 20 match address 0-Fibernet-Internet_cryptomap_dyn_20
    crypto dynamic-map 0-Fibernet-Internet_dyn_map 20 set transform-set ESP-3DES-SHA
    crypto map 0-Fibernet-Internet_map 65535 ipsec-isakmp dynamic 0-Fibernet-Internet_dyn_map
    crypto map 0-Fibernet-Internet_map interface 0-Fibernet-Internet

    isakmp enable 0-Fibernet-Internet
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption 3des
    isakmp policy 10 hash sha
    isakmp policy 10 group 2
    isakmp policy 10 lifetime 86400

    LVL 1

    Author Comment

    0-internet is the same is 0-Fibernet-Internet, I removed Fibernet from the first examples
    LVL 10

    Accepted Solution

    How are they connecting? Using Cisco Client?

    Without complete config, I can not give you exact command. However in order to limit VPN Client to only certain IPS, you will need to use split tunnel. In your case, I see that

    split-tunnel-network-list value new-west_splitTunnelAcl

    is used for the split tunnel.

    Looking at the acl it is

    access-list new-west_splitTunnelAcl standard permit any

    Which allows all traffic to come through. In order to limit hosts do this

    no access-list new-west_splitTunnelAcl standard permit any
    access-list new-west_splitTunnelAcl standard permit host

    This will limit VPN Clients to only one host

    As far as restricting to port, I am not sure if it is doable. I have seen it on the concentrators but not on the PIX.
    LVL 1

    Author Comment

    Thanks, that seemed to work via command line.  Where in the ADSM would this be set?    


    I thought that I had tried this before asking the question, but ????  

    Thanks again.


    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now