Cisco PIX VPN – Configure IP access restriction

0 pts.
Tags:
Cisco
Firewalls
IP
VPN
We have a PIX successfully running VPN (I just inherited this network so I am not sure what all is here yet) and we want to restrict which external IPs can access VPN. What is the best method to do this? See my config below (With obvious parts removed or Xd out) PIX Version 6.3(3) interface ethernet0 100full interface ethernet1 100full interface ethernet2 100full nameif ethernet0 outside security0 nameif ethernet1 inside security100 nameif ethernet2 dmz security50 enable password passwd hostname pix domain-name xxx.com clock timezone PST -8 clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00 fixup protocol dns maximum-length 512 fixup protocol ftp 21 fixup protocol h323 h225 1720 fixup protocol h323 ras 1718-1719 fixup protocol http 80 fixup protocol ils 389 fixup protocol rsh 514 fixup protocol rtsp 554 fixup protocol sip 5060 fixup protocol sip udp 5060 fixup protocol skinny 2000 fixup protocol smtp 25 fixup protocol sqlnet 1521 fixup protocol tftp 69 no names name 192.168.xx name 192.168.xx Internet_Allowed object-group service BackupExec tcp description Backup Exec Remote Agent Ports port-object range 50150 50174 access-list inside_outbound_nat0_acl permit ip any 10.0.0.0 255.255.255.128 access-list inside_outbound_nat0_acl permit ip 192.168.66.0 255.255.255.0 10.0.0.128 255.255.255.128 access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.0.0 10.0.0.128 255.255.255.128 access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.128 255.255.255.128 access-list outside_cryptomap_dyn_40 permit ip any 10.0.0.0 255.255.255.128 access-list inside_access_in remark Allow_inside_to_DMZ access-list inside_access_in permit ip 192.168.0.0 255.255.0.0 172.16.0.64 255.255.255.240 access-list inside_access_in permit ip 192.168.70.0 255.255.255.192 any access-list inside_access_in permit ip host 192.168.66.15 host 132.163.4.102 access-list inside_access_in permit ip host 192.168.66.15 host 206.13.31.12 access-list inside_access_in permit ip host 192.168.66.15 host 206.13.28.12 access-list inside_access_in permit ip host 192.168.66.25 host 206.13.31.12 access-list inside_access_in permit ip host 192.168.66.25 host 206.13.28.12 access-list inside_access_in permit ip host 192.168.66.60 any access-list inside_access_in permit tcp host 192.168.70.85 host 63.78.220.211 access-list inside_access_in permit tcp host 192.168.70.85 host 208.46.87.75 access-list outside_access_in permit tcp any host 63.200.xx eq smtp access-list outside_access_in remark Web_Server access-list outside_access_in permit tcp any host 63.200.xx eq www syslog access-list outside_access_in remark ICMP_echo_replys_to_Inside_and_DMZ access-list outside_access_in permit icmp any any echo-reply access-list outside_access_in remark ICMP_unreachable_messages_to_Inside_and_DMZ access-list outside_access_in permit icmp any any unreachable access-list outside_access_in remark ICMP_exceeded_max_hops_to_Inside_and_DMZ access-list outside_access_in permit icmp any any time-exceeded access-list dmz_access_in remark Allow_DMZ_to_Internet access-list dmz_access_in permit ip xxx any access-list dmz_access_in remark Allow_DMZ_to_XXX access-list dmz_access_in permit ip XXX host 192.168.66.15 access-list dmz_access_in remark Allow_DMZ_to_XXX access-list dmz_access_in permit ip XXX host 192.168.66.25 access-list dmz_access_in remark Ports for Backup Exec agents in DMZ (temp for all ports) access-list dmz_access_in permit tcp XXX host XXXX access-list dmz_outbound_nat0_acl remark 11/29/2006 VNC from VPN to DMZ access-list dmz_outbound_nat0_acl permit ip XXX 10.0.0.128 255.255.255.128 access-list dmz_outbound_nat0_acl remark 11/29/2006 VNC from VPN to DMZ access-list dmz_outbound_nat0_acl permit ip XXX 10.0.0.0 255.255.255.128 pager lines 24 logging on logging trap informational logging host inside 192.168.70.7 mtu outside 1500 mtu inside 1500 mtu dmz 1500 ip address outside XXX ip address inside 192.168.70.1 255.255.0.0 ip address dmz XXX ip audit info action alarm ip audit attack action alarm ip local pool apool 10.0.0.129-10.0.0.254 ip local pool mpool 10.0.0.1-10.0.0.126 pdm location 192.168.70.38 255.255.255.255 inside pdm location 192.168.70.2 255.255.255.255 inside pdm location 192.168.66.60 255.255.255.255 inside pdm location 192.168.66.0 255.255.255.0 inside pdm location 192.168.70.0 255.255.255.192 inside pdm location 192.168.66.15 255.255.255.255 inside pdm location 192.168.66.25 255.255.255.255 inside pdm location 172.16.0.66 255.255.255.255 dmz pdm location 192.168.70.51 255.255.255.255 inside pdm location 192.168.70.7 255.255.255.255 inside pdm location 192.168.70.85 255.255.255.255 inside pdm location 192.168.70.79 255.255.255.255 inside pdm location 192.168.70.55 255.255.255.255 inside pdm history enable arp timeout 14400 global (outside) 10 interface global (dmz) 10 interface nat (inside) 0 access-list inside_outbound_nat0_acl nat (inside) 10 192.168.0.0 255.255.0.0 0 0 nat (dmz) 0 access-list dmz_outbound_nat0_acl static (inside,dmz) 192.168.66.15 192.168.66.15 netmask 255.255.255.255 0 0 static (inside,dmz) 192.168.66.25 192.168.66.25 netmask 255.255.255.255 0 0 access-group outside_access_in in interface outside access-group inside_access_in in interface inside access-group dmz_access_in in interface dmz route outside 0.0.0.0 0.0.0.0 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00 timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute aaa-server TACACS+ protocol tacacs+ aaa-server RADIUS protocol radius aaa-server LOCAL protocol local aaa authentication ssh console LOCAL ntp server xxx source outside http server enable http 192.168.70.38 255.255.255.255 inside http 192.168.70.2 255.255.255.255 inside http 192.168.70.55 255.255.255.255 inside snmp-server host inside 192.168.70.38 no snmp-server location no snmp-server contact snmp-server community public no snmp-server enable traps tftp-server inside 192.168.70.7 /pix/startup-config-20041029 floodguard enable sysopt connection permit-ipsec crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5 crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5 crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map crypto map outside_map client authentication LOCAL crypto map outside_map interface outside isakmp enable outside isakmp nat-traversal 20 isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash md5 isakmp policy 20 group 2 isakmp policy 20 lifetime 86400 vpngroup XX1es dns-server 192.168.66.15 192.168.66.25 vpngroup XX1es wins-server 192.168.66.25 vpngroup XX1es default-domain XXX vpngroup XX1es idle-time 1800 vpngroup XX1es password ******** telnet timeout 5 ssh 10.0.0.0 255.255.255.128 outside ssh 192.168.70.38 255.255.255.255 inside ssh 192.168.70.2 255.255.255.255 inside ssh 192.168.70.55 255.255.255.255 inside ssh timeout 5 management-access inside console timeout 0 username XXX password /zBN/1n8NZZhe/Kd encrypted privilege 3 terminal width 80 Cryptochecksum:: end [OK]
ASKED: October 4, 2007  7:18 PM
UPDATED: February 21, 2008  7:53 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

You should be able to do an deny access list for the subnet that you want to block.

I’m not sure why you would want to prevent a subnet from connecting to your VPN (unless they are attacking your router via VPN).

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Samirise
    In searching for sites related to web hosting and specifically comparison hosting linux plan web, your site came up. :)
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following