Filtering port inside a VPN

[ytreza]

Hi all,

Does someone know how to setup a VPN tunnel WITH filtering port ?

I mean with an access-list different that :
access-list vpn permit ip network1 network2

for exmaple :
access-list vpn permit tcp host server1 gt 1024 network1
access-list vpn permit tcp host server1 eq 22 network1


For me, if I try such access-list I have many errors with the time...

Do I have to open something else in the access-list ?

Thanks a lot.

See You. ;-)

Ytreza

 

[yizhar]

HI.

This is a disadvantage of the pix. If you want to do it, you should use the same access-list bound to the outside interface, for example:

access-list fromoutside permit tcp any host MAILSERVER eq smtp
access-list fromoutside permit tcp ...
access-list fromoutside permit tcp VPNCLIENTS 255.255.255.0 ...
access-group fromoutside in interface outside

And, you need to disable the "sysopt connection permit-ipsec" command if present.

If you have a complex scenario and need better control of VPN clients, a better but more expensive option is to use a dedicated VPN server instead of the pix itself which is lacking some options as you can see.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar