[fw-wiz] Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames

Vahid Pazirandeh vpaziran at yahoo.com
Mon Sep 18 19:04:46 EDT 2006


Quick version:
1. I don't want VPN access open to the entire world.  Is there a way to limit
its access with ACLs?
2. A follow-up question: can I restrict access to VPN clients based on their
hostnames instead of IPs?



I have a Cisco PIX 515E with 7.2(1) software up and running.  I'm very new to
VPN in general, but remote access VPN is working.

I tried using IPSec over TCP (which works), but even if I have a "deny ip any
any" rule for the outside interface, TCP connections are still permitted to the
VPN port 10000 (wow!).  How can I deny them?  I feel strange having the VPN so
exposed to port scanning.

I did find the "set peer" option:
> crypto dynamic-map dyn1 1 set  peer  1.2.3.4

which would only allow VPN clients having IP 1.2.3.4 to login, but the problem
is they still receive a login prompt.  Is there a way to hide the VPN entirely
(like just dropping the pkts for unknown clients).

kind regards,
Vahid


=============================================
 "Make it better before you make it faster."
=============================================

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


More information about the firewall-wizards mailing list