[vpn] limiting access to specified ports on PIX firewall

John Spanos john.spanos at adacel.com
Thu Jun 27 00:52:35 EDT 2002


There are two ways to do it -

It can be done using a more complex solution.  Using RADIUS to AAA VPN
Remote Clients you can send back a Filter-Id attribute which has an
access-list name/number.  Provided this ACL is configured on the PIX then
you can dish out ACLs to VPN Remote User on a per-user-basis.  Use "sh
uauth" to see users and their assigned ACLS.  This is what I do.  Some of
this may vary if you have an old PIX OS.

Alternatively if you want a quick fix -

By default all IPSec client connections have open access unless an ACL is
download via the above method. What you can do is stop the return traffic
coming back - i.e. apply the following ACL on your inside interface :

access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.3.0
255.255.255.0 eq 80

Hopefully, this should do the trick.


-----Original Message-----
From: Chuck Renner [mailto:crenner at dynalivery.com]
Sent: Thursday, June 27, 2002 7:31 AM
To: vpn at securityfocus.com
Subject: [vpn] limiting access to specified ports on PIX firewall


I have a PIX 506 firewall which is also providing VPN access to remote
users.  For some users, I want to limit the ports they have access to on the
internal network, in this case for them to connect to an internal web
server.

My original thought was to create a new vpngroup, with a new address pool,
then create a new access list.  I tried to create the access list like this:

access-list 102 permit ip 192.168.3.0 255.255.255.0 192.168.1.0
255.255.255.0 eq 80

Where the internal network is 192.168.1.0/24, and the pool for VPN clients
is 192.168.3.0/24.  However, the PIX isn't accepting this.

Am I going about this in completely the wrong way?


VPN is sponsored by SecurityFocus.com



VPN is sponsored by SecurityFocus.com





More information about the VPN mailing list