[fw-wiz] Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames



Quick version:
1. I don't want VPN access open to the entire world. Is there a way to limit
its access with ACLs?
2. A follow-up question: can I restrict access to VPN clients based on their
hostnames instead of IPs?



I have a Cisco PIX 515E with 7.2(1) software up and running. I'm very new to
VPN in general, but remote access VPN is working.

I tried using IPSec over TCP (which works), but even if I have a "deny ip any
any" rule for the outside interface, TCP connections are still permitted to the
VPN port 10000 (wow!). How can I deny them? I feel strange having the VPN so
exposed to port scanning.

I did find the "set peer" option:
crypto dynamic-map dyn1 1 set peer 1.2.3.4

which would only allow VPN clients having IP 1.2.3.4 to login, but the problem
is they still receive a login prompt. Is there a way to hide the VPN entirely
(like just dropping the pkts for unknown clients).

kind regards,
Vahid


=============================================
"Make it better before you make it faster."
=============================================

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • RE: VPN
    ... VPN clients can no longer access internal resources after you install ... After these 2 steps, if VPN clients can't access Internet, I suggest we try ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN
    ... What is the OS edition of your VPN client? ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... |> VPN clients can no longer access internal resources after you install ...
    (microsoft.public.windows.server.sbs)
  • Re: Browsing share on AD slow over VPN
    ... VPN Clients - No NAT translation from internal IP to VPN client IP address): ... share if I put IP address of server rather than its host name. ... internet, they use their own gateway instead of the remote network gateway. ...
    (microsoft.public.windows.server.active_directory)
  • RE: VPN Question
    ... I understand that the VPN clients can ... Try to ping the Server via IP address and Server name, ... VPN clients can no longer access internal resources after you install ... How to configure a VPN connection to your corporate network in Windows XP ...
    (microsoft.public.windows.server.sbs)
  • RE: VPN
    ... What is the OS edition of your VPN client? ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... |> VPN clients can no longer access internal resources after you install ...
    (microsoft.public.windows.server.sbs)