[VPN] Complete VPN access to all PIX interfaces

shannong shannong at texas.net
Mon Apr 28 23:22:51 EDT 2003


You need to remove the command [sysopt connect permit-ipsec].  This
tells the Pix to bypass all ACLs for traffic incoming from VPN tunnels.
Instead, use an ACL on the interface where the VPN is terminated
(outside in your case) to allow exactly the traffic you want. Keep in
mind the command is global, and you'll need to define ACEs that allow
all desired VPN traffic for all tunnels.

-Shannon


-----Original Message-----
From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On
Behalf Of jmondaca at entelsa.entelnet.bo
Sent: Thursday, April 24, 2003 11:20 AM
To: vpn at lists.shmoo.com; vpn-admin at lists.shmoo.com
Subject: [VPN] Complete VPN access to all PIX interfaces

 

 

 

 

 

 

 

 

 

 

 I have a PIX 6.2 with 6 interfaces and VPN client 3.0. I have
configured   
 the firewall to permit a VPN connection using the following conf

 

 access-list 100 permit ip x.x.x.x 255.255.255.0 y.y.y.y 255.255.255.0

 nat (dmz2) 0 access-list 100

 sysopt connection permit-ipsec

 crypto ipsec transform-set myset esp-3des esmp-md5-hamc

 crypto dynamic-map dynmap 30 set transform-set myset

 crypto map newmap 20 ipsec-isakmp dynamic dynmap

 crypto map newmap interface outside

 * and the configuration of the vpngroup and isakmp

 

 The problem is that I only want the vpn client access my x.x.x.x
network   
 in dmz2 but the VPN client can access all the computers in the
internal,   
 dmz1, dmz3, etc (all the interfaces).

 

 

 Thanks in advance.

 

 

 

 










_______________________________________
Jorge Mondaca
Gerencia Seguridad Corporativa
(591) 2-2313030 ext 2021
(591) 72029832


_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn






More information about the VPN mailing list