[vpn] limiting access to specified ports on PIX firewall

Dana J. Dawson djdawso at qwest.com
Thu Jun 27 17:52:46 EDT 2002 

There's another approach you can take.  All the sample VPN configs show the
"sysopt connection permit-ipsec" command as part of the config.  It's this
command that allows all the IPSec and client VPN traffic to bypass the usual PIX
filtering, but you don't have to use it.  If you leave that "sysopt" command
out, then you can use an access-list to allow different client address pools to
access different local addresses.  You also have to specifically allow the IPSec
traffic into the PIX itself (UDP/500 and IP/50), but that's not too hard.

I hope this helps.

Dana

--
Dana J. Dawson                     djdawso at qwest.com
Senior Staff Engineer              CCIE #1937
Qwest Global Services              (612) 664-3364
Qwest Communications               (612) 664-4779 (FAX)
600 Stinson Blvd., Suite 1S
Minneapolis  MN  55413-2620

"Hard is where the money is."



John Spanos wrote:

> There are two ways to do it -
>
> It can be done using a more complex solution.  Using RADIUS to AAA VPN
> Remote Clients you can send back a Filter-Id attribute which has an
> access-list name/number.  Provided this ACL is configured on the PIX then
> you can dish out ACLs to VPN Remote User on a per-user-basis.  Use "sh
> uauth" to see users and their assigned ACLS.  This is what I do.  Some of
> this may vary if you have an old PIX OS.
>
> Alternatively if you want a quick fix -
>
> By default all IPSec client connections have open access unless an ACL is
> download via the above method. What you can do is stop the return traffic
> coming back - i.e. apply the following ACL on your inside interface :
>
> access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.3.0
> 255.255.255.0 eq 80
>
> Hopefully, this should do the trick.
>
> -----Original Message-----
> From: Chuck Renner [mailto:crenner at dynalivery.com]
> Sent: Thursday, June 27, 2002 7:31 AM
> To: vpn at securityfocus.com
> Subject: [vpn] limiting access to specified ports on PIX firewall
>
> I have a PIX 506 firewall which is also providing VPN access to remote
> users.  For some users, I want to limit the ports they have access to on the
> internal network, in this case for them to connect to an internal web
> server.
>
> My original thought was to create a new vpngroup, with a new address pool,
> then create a new access list.  I tried to create the access list like this:
>
> access-list 102 permit ip 192.168.3.0 255.255.255.0 192.168.1.0
> 255.255.255.0 eq 80
>
> Where the internal network is 192.168.1.0/24, and the pool for VPN clients
> is 192.168.3.0/24.  However, the PIX isn't accepting this.
>
> Am I going about this in completely the wrong way?
>
> VPN is sponsored by SecurityFocus.com
>
> VPN is sponsored by SecurityFocus.com





VPN is sponsored by SecurityFocus.com

More information about the VPN mailing list