ort11
asked on
Ciscio Pix V7.1 Client VPN Access Limit Question
Hi:
Have cisco client vpn working fine to a pix running V7.1. Now we are trying to limit the access for the VPN Client Group to certian servers / ports, etc.
It seems to do this is to change the IPSEC rules in the ADM in the VPN / IPSEC / IPSEC RULES. The defaule rule from the VPN Client Wizard has
Protect for the any for host side and the net of the VPN pool on the remote side applied to the tunnel policy.
If any changes are made to this rule, the client will not connect with no matching crypto map. Even if there are three rules put in for TCP/UDP/ICMP matching the one rule that is set for IP. The configuration has been verified that it changes to reflect just the one change.
What works is
access-list 0-Internet_cryptomap_dyn_2 0 line 1 extended permit ip any 172.17.48.0 255.255.255.0
What does not work is
access-list 0-Internet_cryptomap_dyn_2 0 line 1 extended permit tcp any 172.17.48.0 255.255.255.0
access-list 0-Internet_cryptomap_dyn_2 0 line 2 extended permit udp any 172.17.48.0 255.255.255.0
access-list 0-Internet_cryptomap_dyn_2 0 line 3 extended permit icmp any 172.17.48.0 255.255.255.0
Other postings have been reviwed, so what is the "proper" way to limit client vpn access with V7.1?
Thanks
Have cisco client vpn working fine to a pix running V7.1. Now we are trying to limit the access for the VPN Client Group to certian servers / ports, etc.
It seems to do this is to change the IPSEC rules in the ADM in the VPN / IPSEC / IPSEC RULES. The defaule rule from the VPN Client Wizard has
Protect for the any for host side and the net of the VPN pool on the remote side applied to the tunnel policy.
If any changes are made to this rule, the client will not connect with no matching crypto map. Even if there are three rules put in for TCP/UDP/ICMP matching the one rule that is set for IP. The configuration has been verified that it changes to reflect just the one change.
What works is
access-list 0-Internet_cryptomap_dyn_2
What does not work is
access-list 0-Internet_cryptomap_dyn_2
access-list 0-Internet_cryptomap_dyn_2
access-list 0-Internet_cryptomap_dyn_2
Other postings have been reviwed, so what is the "proper" way to limit client vpn access with V7.1?
Thanks
ASKER
Hi, the only change in the config are the listings above. I'll see if I can post the none working config. There will be several hosts / ports that will need access. Let's say for discussion 172.17.32.10 is a host that needs vpn client access with port 1433.
ASKER
here are the interesting bits of the working config. The only changes are in the access-list when permit ip is changed.
-------------------------- ---------- ------
access-list new-west_splitTunnelAcl standard permit any
access-list 0-Fibernet-Internet_crypto map_dyn_20 extended permit ip any 172.17.48.0 255.255.255.0
group-policy new-west internal
group-policy new-west attributes
dns-server value 172.17.32.50
split-tunnel-policy tunnelspecified
split-tunnel-network-list value new-west_splitTunnelAcl
username new-west password [deleted] encrypted privilege 0
username new-west attributes
vpn-group-policy new-west
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map 0-Fibernet-Internet_dyn_ma p 20 match address 0-Fibernet-Internet_crypto map_dyn_20
crypto dynamic-map 0-Fibernet-Internet_dyn_ma p 20 set transform-set ESP-3DES-SHA
crypto map 0-Fibernet-Internet_map 65535 ipsec-isakmp dynamic 0-Fibernet-Internet_dyn_ma p
crypto map 0-Fibernet-Internet_map interface 0-Fibernet-Internet
isakmp enable 0-Fibernet-Internet
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
--------------------------
access-list new-west_splitTunnelAcl standard permit any
access-list 0-Fibernet-Internet_crypto
group-policy new-west internal
group-policy new-west attributes
dns-server value 172.17.32.50
split-tunnel-policy tunnelspecified
split-tunnel-network-list value new-west_splitTunnelAcl
username new-west password [deleted] encrypted privilege 0
username new-west attributes
vpn-group-policy new-west
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map 0-Fibernet-Internet_dyn_ma
crypto dynamic-map 0-Fibernet-Internet_dyn_ma
crypto map 0-Fibernet-Internet_map 65535 ipsec-isakmp dynamic 0-Fibernet-Internet_dyn_ma
crypto map 0-Fibernet-Internet_map interface 0-Fibernet-Internet
isakmp enable 0-Fibernet-Internet
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
ASKER
0-internet is the same is 0-Fibernet-Internet, I removed Fibernet from the first examples
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, that seemed to work via command line. Where in the ADSM would this be set?
It is in CONFIGURATION / VPN / GROUP POLICY / SPLIT TUNNEL NETWORK LIST / MANAGE BUTTON / STANDARD ACL
I thought that I had tried this before asking the question, but ????
Thanks again.
ort11
It is in CONFIGURATION / VPN / GROUP POLICY / SPLIT TUNNEL NETWORK LIST / MANAGE BUTTON / STANDARD ACL
I thought that I had tried this before asking the question, but ????
Thanks again.
ort11
Also, what host you want to give access to VPN clients?