Ciscio Pix V7.1 Client VPN Access Limit Question

Hi:

Have cisco client vpn working fine to a pix running V7.1.  Now we are trying to limit the access for the VPN Client Group to certian servers / ports, etc.

It seems to do this is to change the IPSEC rules in the ADM in the VPN / IPSEC / IPSEC RULES.  The defaule rule from the VPN Client Wizard has

Protect for the any for host side and the net of the VPN pool on the remote side applied to the tunnel policy.  

If any changes are made to this rule, the client will not connect with no matching crypto map.  Even if there are three rules put in for TCP/UDP/ICMP matching the one rule that is set for IP.  The configuration has been verified that it changes to reflect just the one change.

What works is

access-list 0-Internet_cryptomap_dyn_20 line 1 extended permit ip any 172.17.48.0 255.255.255.0

What does not work is

access-list 0-Internet_cryptomap_dyn_20 line 1 extended permit tcp any 172.17.48.0 255.255.255.0  
access-list 0-Internet_cryptomap_dyn_20 line 2 extended permit udp any 172.17.48.0 255.255.255.0  
access-list 0-Internet_cryptomap_dyn_20 line 3 extended permit icmp any 172.17.48.0 255.255.255.0

Other postings have been reviwed, so what is the "proper" way to limit client vpn access with V7.1?

Thanks
LVL 1
ort11Asked:
Who is Participating?
 
naveedbCommented:
How are they connecting? Using Cisco Client?

Without complete config, I can not give you exact command. However in order to limit VPN Client to only certain IPS, you will need to use split tunnel. In your case, I see that

split-tunnel-network-list value new-west_splitTunnelAcl

is used for the split tunnel.

Looking at the acl it is

access-list new-west_splitTunnelAcl standard permit any

Which allows all traffic to come through. In order to limit hosts do this

no access-list new-west_splitTunnelAcl standard permit any
access-list new-west_splitTunnelAcl standard permit host 172.17.32.10

This will limit VPN Clients to only one host 172.17.32.10

As far as restricting to port, I am not sure if it is doable. I have seen it on the concentrators but not on the PIX.
0
 
naveedbCommented:
Can you post your running config from PIX?

Also, what host you want to give access to VPN clients?
0
 
ort11Author Commented:
Hi, the only change in the config are the listings above.  I'll see if I can post the none working config.  There will be several hosts / ports that will need access.  Let's say for discussion 172.17.32.10 is a host that needs vpn client access with port 1433.

0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
ort11Author Commented:
here are the interesting bits of the working config.  The only changes are in the access-list when permit ip is changed.
------------------------------------------

access-list new-west_splitTunnelAcl standard permit any
access-list 0-Fibernet-Internet_cryptomap_dyn_20 extended permit ip any 172.17.48.0 255.255.255.0

group-policy new-west internal
group-policy new-west attributes
 dns-server value 172.17.32.50
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value new-west_splitTunnelAcl
username new-west password [deleted] encrypted privilege 0
username new-west attributes
 vpn-group-policy new-west

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map 0-Fibernet-Internet_dyn_map 20 match address 0-Fibernet-Internet_cryptomap_dyn_20
crypto dynamic-map 0-Fibernet-Internet_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map 0-Fibernet-Internet_map 65535 ipsec-isakmp dynamic 0-Fibernet-Internet_dyn_map
crypto map 0-Fibernet-Internet_map interface 0-Fibernet-Internet

isakmp enable 0-Fibernet-Internet
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400

0
 
ort11Author Commented:
0-internet is the same is 0-Fibernet-Internet, I removed Fibernet from the first examples
0
 
ort11Author Commented:
Thanks, that seemed to work via command line.  Where in the ADSM would this be set?    

It is in CONFIGURATION / VPN / GROUP POLICY / SPLIT TUNNEL NETWORK LIST / MANAGE BUTTON / STANDARD ACL

I thought that I had tried this before asking the question, but ????  

Thanks again.

ort11
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.