Ciscio Pix V7.1 Client VPN Access Limit Question
Posted on 2006-04-18
Have cisco client vpn working fine to a pix running V7.1. Now we are trying to limit the access for the VPN Client Group to certian servers / ports, etc.
It seems to do this is to change the IPSEC rules in the ADM in the VPN / IPSEC / IPSEC RULES. The defaule rule from the VPN Client Wizard has
Protect for the any for host side and the net of the VPN pool on the remote side applied to the tunnel policy.
If any changes are made to this rule, the client will not connect with no matching crypto map. Even if there are three rules put in for TCP/UDP/ICMP matching the one rule that is set for IP. The configuration has been verified that it changes to reflect just the one change.
What works is
access-list 0-Internet_cryptomap_dyn_20 line 1 extended permit ip any 172.17.48.0 255.255.255.0
What does not work is
access-list 0-Internet_cryptomap_dyn_20 line 1 extended permit tcp any 172.17.48.0 255.255.255.0
access-list 0-Internet_cryptomap_dyn_20 line 2 extended permit udp any 172.17.48.0 255.255.255.0
access-list 0-Internet_cryptomap_dyn_20 line 3 extended permit icmp any 172.17.48.0 255.255.255.0
Other postings have been reviwed, so what is the "proper" way to limit client vpn access with V7.1?