[fw-wiz] Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames
- From: Vahid Pazirandeh <vpaziran@xxxxxxxxx>
- Date: Mon, 18 Sep 2006 16:04:46 -0700 (PDT)
Quick version:
1. I don't want VPN access open to the entire world. Is there a way to limit
its access with ACLs?
2. A follow-up question: can I restrict access to VPN clients based on their
hostnames instead of IPs?
I have a Cisco PIX 515E with 7.2(1) software up and running. I'm very new to
VPN in general, but remote access VPN is working.
I tried using IPSec over TCP (which works), but even if I have a "deny ip any
any" rule for the outside interface, TCP connections are still permitted to the
VPN port 10000 (wow!). How can I deny them? I feel strange having the VPN so
exposed to port scanning.
I did find the "set peer" option:
crypto dynamic-map dyn1 1 set peer 1.2.3.4
which would only allow VPN clients having IP 1.2.3.4 to login, but the problem
is they still receive a login prompt. Is there a way to hide the VPN entirely
(like just dropping the pkts for unknown clients).
kind regards,
Vahid
=============================================
"Make it better before you make it faster."
=============================================
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
- Follow-Ups:
- Prev by Date: Re: [fw-wiz] Concentrator inside of paired failover firewalls.
- Next by Date: Re: [fw-wiz] Terminating Secureclient on a private address range
- Previous by thread: Re: [fw-wiz] Concentrator inside of paired failover firewalls.
- Next by thread: Re: [fw-wiz] Cisco PIX: How to restrict remote access to VPN using IP addresses/hostnames
- Index(es):
Relevant Pages
|
|
