Restrict traffic for Cisco VPN clients

Incident response
Intrusion management
Network security
Hi all, First some background for my question: I have recently set up a VPN tunnel between a Cisco PIX 506E (VPN server) and remote clients. The remote clients use Cisco VPN Client software version 4.8. Everything seems to work fine. But as it is configured right now the remote clients have full access to the private network (they can log on to servers and so on). I want the remote clients only to have access to a specific application. Only one type of traffic is supposed to flow from the VPN server to the clients (for security reasons). On the Cisco PIX there's also a site-to-site VPN tunnel set up. I have understood that the command sysopt connection permit-ipsec, permit IPSec traffic to pass through the PIX firewall without a check of access-list command statements. I guess this site-to-site tunnel needs this command. So finally, the question: Is it possible to just permit one type of traffic (protocol) to flow between the VPN server and the remote Cisco clients? Regards, Daniel

Answer Wiki

Thanks. We'll let you know when a new response is added.

Keep in mind we are talking about two different access-lists. The first one is the inbound access-list on the outside interface. This is the one that the sysopt permit-ipsec command allows IPSec traffic to bypass. If you do not do this then you will need to ensure that any IPSec initiator on the outside is added to that ACL or they would never be able to initiate an IPSec session.

The next ACL is the interesting traffic ACL. This is the one that says? If this traffic matches this ACL then encrypt it (or decrypt ? depending on which direction it?s going).

This is the ACL that you would put your limits on what servers and services the connecting clients can connect to. If you only want them to access your mail server vial SMTP then create your interesting traffic ACL such that only the mail server can talk to the clients via SMTP (the ACL will get mirrored on the remote side so you?re only creating the half that allows outbound traffic).Of course if you have more servers and services you can add them in.

This ACL usually reads permit IP any any for ease of setting up the IPSec tunnel and for site-to-site VPN?s that is usually what you want. But there is no reason you can?t use this ACL to lock down to be more specific.

Good Luck!


Use vpn-filter command in the Group-policy level.

Discuss This Question: 5  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Vdinenna
    You might have to include a config file from the PIX 506E. Usually everything is denied until allowed with an access-list.
    60 pointsBadges:
  • Daniel4
    Hi, Thanks for your help! But I didn't get things to work. I tried to restrict the access-list outside_cryptomap_dyn_20, without any result. There must be something that I don't see. Maybe you can take a look at my configuration for VPN connection. PIX Version 6.3(4) interface ethernet0 10full interface ethernet1 10full | | | access-list Romevpn permit ip any x.x.x.x access-list outside_cryptomap_dyn_20 permit ip any access-list Paris-vpn permit ip x.x.x.x x.x.x.x | | ip local pool vpnpool sysopt connection permit-ipsec sysopt connection permit-pptp sysopt connection permit-l2tp crypto ipsec transform-set hpvpn esp-aes-192 esp-sha-hmac crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20 crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_MD5 crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-MD5 crypto map vpn 10 ipsec-isakmp crypto map vpn 10 match address Romevpn crypto map vpn 10 set peer Rome crypto map vpn 10 set transform-set hpvpn crypto map vpn 40 ipsec-isakmp crypto map vpn 40 match address Paris-vpn crypto map vpn 40 set peer Paris crypto map vpn 40 set transform-set hpvpn crypto map vpn 65535 ipsec-isakmp dynamic outside_dyn_map crypto map vpn interface outside isakmp enable outside isakmp key ******** address netmask isakmp key ******** address Paris netmask no-xauth no-config-mode isakmp key ******** address Rome netmask no-xauth no-config-mode isakmp nat-traversal 20 isakmp policy 1 authentication pre-share isakmp policy 1 encryption aes-192 isakmp policy 1 hash sha isakmp policy 1 group 1 isakmp policy 1 lifetime 28000 isakmp policy 25 authentication pre-share isakmp policy 25 encryption 3des isakmp policy 25 hash md5 isakmp policy 25 group 2 isakmp policy 25 lifetime 86400 vpngroup vpnclients address-pool vpnpool vpngroup vpnclients dns-server HPAD1 x.x.x.x vpngroup vpnclients wins-server HPAD1 vpngroup vpnclients default-domain x.local vpngroup vpnclients idle-time 1800 vpngroup vpnclients password ******** | | end Well, I better continue working with this issue.. Thanks again! /Daniel
    0 pointsBadges:
  • Astronomer
    Daniel: You may want to look at the example at this link: Another possibility is if your server has a built-in firewall or if you have an internal router with access lists. You can limit what the VPN address pool can do. rt
    15 pointsBadges:
  • PeterMac
    May be possible to achieve most of what you want by another method. If reason for restriction is due to type of user using the VPN link, rather than the fact they are using the link, place VPN users in seperate group, and restrict access via AD.
    15 pointsBadges:
  • Daniel4
    Hi, It seems that you can't create a crypto map ACL with layer 4 restrictions (tcp) in the Cisco PIX. So maybe the AD can solve this issue. Another thought; I have a Cisco Catalyst 2950 (with EA1) on the outside of the PIX where I can possibly create a ACL... I could skip the command sysopt connection permit-ipsec in the PIX, and just create new ACL for all of the VPN connections. But I rather don't do this because then I have to re-configure the site-to-site VPN:s and they are working really well, and have no restrictions. The struggle goes on... Thanks for the AD tip! /Daniel
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: