Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames

From: Vahid Pazirandeh <vpaziran () yahoo com>
Date: Mon, 18 Sep 2006 16:04:46 -0700 (PDT)
Quick version:
1. I don't want VPN access open to the entire world.  Is there a way to limit
its access with ACLs?
2. A follow-up question: can I restrict access to VPN clients based on their
hostnames instead of IPs?



I have a Cisco PIX 515E with 7.2(1) software up and running.  I'm very new to
VPN in general, but remote access VPN is working.

I tried using IPSec over TCP (which works), but even if I have a "deny ip any
any" rule for the outside interface, TCP connections are still permitted to the
VPN port 10000 (wow!).  How can I deny them?  I feel strange having the VPN so
exposed to port scanning.

I did find the "set peer" option:

crypto dynamic-map dyn1 1 set  peer  1.2.3.4


which would only allow VPN clients having IP 1.2.3.4 to login, but the problem
is they still receive a login prompt.  Is there a way to hide the VPN entirely
(like just dropping the pkts for unknown clients).

kind regards,
Vahid


=============================================
 "Make it better before you make it faster."
=============================================

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: