[fw-wiz] Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames
vpaziran at yahoo.com
Mon Sep 18 19:04:46 EDT 2006
1. I don't want VPN access open to the entire world. Is there a way to limit
its access with ACLs?
2. A follow-up question: can I restrict access to VPN clients based on their
hostnames instead of IPs?
I have a Cisco PIX 515E with 7.2(1) software up and running. I'm very new to
VPN in general, but remote access VPN is working.
I tried using IPSec over TCP (which works), but even if I have a "deny ip any
any" rule for the outside interface, TCP connections are still permitted to the
VPN port 10000 (wow!). How can I deny them? I feel strange having the VPN so
exposed to port scanning.
I did find the "set peer" option:
> crypto dynamic-map dyn1 1 set peer 188.8.131.52
which would only allow VPN clients having IP 184.108.40.206 to login, but the problem
is they still receive a login prompt. Is there a way to hide the VPN entirely
(like just dropping the pkts for unknown clients).
"Make it better before you make it faster."
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
More information about the firewall-wizards