Restricting Cisco VPN Clients and PPTP Clients on PIX

[tangerine0072000]

Hi all,
Currently using a Cisco PIX 506. My Cisco VPN clients and PPTP clients once authenticated, have un-restricted access to the whole internal subnet.

Is there a way to restrict what these users have access to in the of certain ip addresses and ports.

thanks,

 

[chicocouk]

Your IpSec and PPTP clients should NOT be assigned an ip address from your local LAN range when they connect. So if you use 192.168.1.0/24 as your local range, use something else for your IpSec vpn client pool, eg 192.168.20.0/24, and another range again for your PPTP clients, eg 192.168.40.0/24. The pix will proxy arp for whatever ranges you choose to use, so traffic will route fine between these networks and your local LAN.

Then create access-lists that only permit the specific ports and addresses you want to allow, and apply them to the interfaces in the usual manner.

For IpSec (rather than PPTP) clients, be sure to remove the following command from your config

sysopt connection permit-ipsec

The above causes all traffic which arrives at the pix in an IpSec tunnel to bypass all access-lists after it's decrypted. Very good for testing purposes, and getting a vpn to work quickly, not so good in terms of security.



CCSP, CCNA, CCSA, MCSE, Cisco Firewall specialist, VPN specialist, IDS specialist

 

[tangerine0072000]

Thanks for your responce, will give it a whirl