[VPN] Complete VPN access to all PIX interfaces
shannong
shannong at texas.net
Mon Apr 28 23:22:51 EDT 2003
You need to remove the command [sysopt connect permit-ipsec]. This
tells the Pix to bypass all ACLs for traffic incoming from VPN tunnels.
Instead, use an ACL on the interface where the VPN is terminated
(outside in your case) to allow exactly the traffic you want. Keep in
mind the command is global, and you'll need to define ACEs that allow
all desired VPN traffic for all tunnels.
-Shannon
-----Original Message-----
From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On
Behalf Of jmondaca at entelsa.entelnet.bo
Sent: Thursday, April 24, 2003 11:20 AM
To: vpn at lists.shmoo.com; vpn-admin at lists.shmoo.com
Subject: [VPN] Complete VPN access to all PIX interfaces
I have a PIX 6.2 with 6 interfaces and VPN client 3.0. I have
configured
the firewall to permit a VPN connection using the following conf
access-list 100 permit ip x.x.x.x 255.255.255.0 y.y.y.y 255.255.255.0
nat (dmz2) 0 access-list 100
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esmp-md5-hamc
crypto dynamic-map dynmap 30 set transform-set myset
crypto map newmap 20 ipsec-isakmp dynamic dynmap
crypto map newmap interface outside
* and the configuration of the vpngroup and isakmp
The problem is that I only want the vpn client access my x.x.x.x
network
in dmz2 but the VPN client can access all the computers in the
internal,
dmz1, dmz3, etc (all the interfaces).
Thanks in advance.
_______________________________________
Jorge Mondaca
Gerencia Seguridad Corporativa
(591) 2-2313030 ext 2021
(591) 72029832
_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn
More information about the VPN
mailing list