Securing VPN Clients without using sysopt connection permit-ipsec ?

[nicolel007]

Hello,

I would like to control exaclty what remote vpn clients have access to on the internal network. With this in mind, I disabled the 'sysopt connection permit-ipsec' command.

I have defined my VPN group and IP pool etc, but I'm not sure how to control remote users, taking into account they will also becomming from random ISP assigned ip addresses.

Can someone shed some light on this ?

thanks,

 

[lgarner]

Create an access list to permit TCP port 500 and protocols 50 and 51 in from the addresses or subnets.

 

[nicolel007]

Hi,

When you say 'from the addresses or subnets', these will be random ISP assigned addresses as users could be dialing in from anywhere !

 

[lgarner]

Then use the sysopt statement; it's the easiest way to allow the world to make ipsec connections to your Pix.

As I looked at your post again, I see that you want to restrict what they can access. As I recall, you can use an ACL using the address pool as the source addresses. We don't, but I recall looking into that a couple of years ago.