• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 245
  • Last Modified:

Ciscio Pix V7.1 Client VPN Access Limit Question

Hi:

Have cisco client vpn working fine to a pix running V7.1.  Now we are trying to limit the access for the VPN Client Group to certian servers / ports, etc.

It seems to do this is to change the IPSEC rules in the ADM in the VPN / IPSEC / IPSEC RULES.  The defaule rule from the VPN Client Wizard has

Protect for the any for host side and the net of the VPN pool on the remote side applied to the tunnel policy.  

If any changes are made to this rule, the client will not connect with no matching crypto map.  Even if there are three rules put in for TCP/UDP/ICMP matching the one rule that is set for IP.  The configuration has been verified that it changes to reflect just the one change.

What works is

access-list 0-Internet_cryptomap_dyn_20 line 1 extended permit ip any 172.17.48.0 255.255.255.0

What does not work is

access-list 0-Internet_cryptomap_dyn_20 line 1 extended permit tcp any 172.17.48.0 255.255.255.0  
access-list 0-Internet_cryptomap_dyn_20 line 2 extended permit udp any 172.17.48.0 255.255.255.0  
access-list 0-Internet_cryptomap_dyn_20 line 3 extended permit icmp any 172.17.48.0 255.255.255.0

Other postings have been reviwed, so what is the "proper" way to limit client vpn access with V7.1?

Thanks
0
ort11
Asked:
ort11
  • 4
  • 2
1 Solution
 
naveedbCommented:
Can you post your running config from PIX?

Also, what host you want to give access to VPN clients?
0
 
ort11Author Commented:
Hi, the only change in the config are the listings above.  I'll see if I can post the none working config.  There will be several hosts / ports that will need access.  Let's say for discussion 172.17.32.10 is a host that needs vpn client access with port 1433.

0
 
ort11Author Commented:
here are the interesting bits of the working config.  The only changes are in the access-list when permit ip is changed.
------------------------------------------

access-list new-west_splitTunnelAcl standard permit any
access-list 0-Fibernet-Internet_cryptomap_dyn_20 extended permit ip any 172.17.48.0 255.255.255.0

group-policy new-west internal
group-policy new-west attributes
 dns-server value 172.17.32.50
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value new-west_splitTunnelAcl
username new-west password [deleted] encrypted privilege 0
username new-west attributes
 vpn-group-policy new-west

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map 0-Fibernet-Internet_dyn_map 20 match address 0-Fibernet-Internet_cryptomap_dyn_20
crypto dynamic-map 0-Fibernet-Internet_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map 0-Fibernet-Internet_map 65535 ipsec-isakmp dynamic 0-Fibernet-Internet_dyn_map
crypto map 0-Fibernet-Internet_map interface 0-Fibernet-Internet

isakmp enable 0-Fibernet-Internet
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
ort11Author Commented:
0-internet is the same is 0-Fibernet-Internet, I removed Fibernet from the first examples
0
 
naveedbCommented:
How are they connecting? Using Cisco Client?

Without complete config, I can not give you exact command. However in order to limit VPN Client to only certain IPS, you will need to use split tunnel. In your case, I see that

split-tunnel-network-list value new-west_splitTunnelAcl

is used for the split tunnel.

Looking at the acl it is

access-list new-west_splitTunnelAcl standard permit any

Which allows all traffic to come through. In order to limit hosts do this

no access-list new-west_splitTunnelAcl standard permit any
access-list new-west_splitTunnelAcl standard permit host 172.17.32.10

This will limit VPN Clients to only one host 172.17.32.10

As far as restricting to port, I am not sure if it is doable. I have seen it on the concentrators but not on the PIX.
0
 
ort11Author Commented:
Thanks, that seemed to work via command line.  Where in the ADSM would this be set?    

It is in CONFIGURATION / VPN / GROUP POLICY / SPLIT TUNNEL NETWORK LIST / MANAGE BUTTON / STANDARD ACL

I thought that I had tried this before asking the question, but ????  

Thanks again.

ort11
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now