[fw-wiz] Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames

Vahid Pazirandeh vpaziran at yahoo.com
Mon Sep 18 19:04:46 EDT 2006

Quick version:
1. I don't want VPN access open to the entire world.  Is there a way to limit
its access with ACLs?
2. A follow-up question: can I restrict access to VPN clients based on their
hostnames instead of IPs?

I have a Cisco PIX 515E with 7.2(1) software up and running.  I'm very new to
VPN in general, but remote access VPN is working.

I tried using IPSec over TCP (which works), but even if I have a "deny ip any
any" rule for the outside interface, TCP connections are still permitted to the
VPN port 10000 (wow!).  How can I deny them?  I feel strange having the VPN so
exposed to port scanning.

I did find the "set peer" option:
> crypto dynamic-map dyn1 1 set  peer

which would only allow VPN clients having IP to login, but the problem
is they still receive a login prompt.  Is there a way to hide the VPN entirely
(like just dropping the pkts for unknown clients).

kind regards,

 "Make it better before you make it faster."

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

More information about the firewall-wizards mailing list