Firewall Wizards mailing list archives
Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames
From: Vahid Pazirandeh <vpaziran () yahoo com>
Date: Mon, 18 Sep 2006 16:04:46 -0700 (PDT)
Quick version: 1. I don't want VPN access open to the entire world. Is there a way to limit its access with ACLs? 2. A follow-up question: can I restrict access to VPN clients based on their hostnames instead of IPs? I have a Cisco PIX 515E with 7.2(1) software up and running. I'm very new to VPN in general, but remote access VPN is working. I tried using IPSec over TCP (which works), but even if I have a "deny ip any any" rule for the outside interface, TCP connections are still permitted to the VPN port 10000 (wow!). How can I deny them? I feel strange having the VPN so exposed to port scanning. I did find the "set peer" option:
crypto dynamic-map dyn1 1 set peer 1.2.3.4
which would only allow VPN clients having IP 1.2.3.4 to login, but the problem is they still receive a login prompt. Is there a way to hide the VPN entirely (like just dropping the pkts for unknown clients). kind regards, Vahid ============================================= "Make it better before you make it faster." ============================================= __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames Vahid Pazirandeh (Sep 19)
- Re: Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames M.L. (Sep 19)
- Re: Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames Prabhu Gurumurthy (Sep 27)