[fw-wiz] Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames

Prabhu Gurumurthy pgurumu at gmail.com
Wed Sep 27 13:12:48 EDT 2006

Vahid Pazirandeh wrote:
> Quick version:
> 1. I don't want VPN access open to the entire world.  Is there a way to limit
> its access with ACLs?
> 2. A follow-up question: can I restrict access to VPN clients based on their
> hostnames instead of IPs?
> I have a Cisco PIX 515E with 7.2(1) software up and running.  I'm very new to
> VPN in general, but remote access VPN is working.
> I tried using IPSec over TCP (which works), but even if I have a "deny ip any
> any" rule for the outside interface, TCP connections are still permitted to the
> VPN port 10000 (wow!).  How can I deny them?  I feel strange having the VPN so
> exposed to port scanning.
> I did find the "set peer" option:
>> crypto dynamic-map dyn1 1 set  peer
> which would only allow VPN clients having IP to login, but the problem
> is they still receive a login prompt.  Is there a way to hide the VPN entirely
> (like just dropping the pkts for unknown clients).
> kind regards,
> Vahid
> =============================================
>  "Make it better before you make it faster."
> =============================================
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around 
> http://mail.yahoo.com 
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards at listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Okay -
How will you try to restrict access based on ACL's for remote access 
VPN. Think about all the DHCP users (Like broadband connection or 
dialup) who will be logging in and their IP address is not guaranteed to 
be static(same) all the time.

That why you have Remote access VPN instead of LAN2LAN tunnel!. Well I 
am not saying you cannot do that, but it kinda defeats the purpose for me.

Infact do not trust anything either hostnames or IP's. Use secure keys 
and you will be safe, that is relatively.

BTW the first process of any VPN is IKE, which actually listens on port 
500. Now, 10000 is the standard PIX port for receiving and sending IPSec 
traffic, why would you want to put ACL's on the port which is meant for 
receiving and sending IPSec packets. If your ACLs are bad!, then it will 
result in bad connectivity for the users whom you think need to use it.
Paranoia is fine with security, but dont be over paranoid. PIX is 
relatively more secure and it is smart enough to allow only the traffic 
that it trusts to go thru it (which BTW depends on your config).

Hope this helps.

More information about the firewall-wizards mailing list