Cisco VPN Restrict Access by IP ?

Discussion in 'Hardware' started by samirise, Oct 4, 2007.

  1. samirise

    samirise

    Joined:
    Oct 4, 2007
    Messages:
    1
    We have a PIX successfully running VPN (I just inherited this network so I am not sure what all is here yet) and we want to restrict which external IPs can access VPN. What is the best method to do this? See my config below (With obvious parts removed or Xd out)

    PIX Version 6.3(3)
    interface ethernet0 100full
    interface ethernet1 100full
    interface ethernet2 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    nameif ethernet2 dmz security50
    enable password
    passwd
    hostname pix
    domain-name xxx.com
    clock timezone PST -8
    clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol ils 389
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    no names
    name 192.168.xx
    name 192.168.xx Internet_Allowed
    object-group service BackupExec tcp
    description Backup Exec Remote Agent Ports
    port-object range 50150 50174
    access-list inside_outbound_nat0_acl permit ip any 10.0.0.0 255.255.255.128
    access-list inside_outbound_nat0_acl permit ip 192.168.66.0 255.255.255.0 10.0.0.128 255.255.255.128
    access-list inside_outbound_nat0_acl permit ip 192.168.0.0 255.255.0.0 10.0.0.128 255.255.255.128
    access-list outside_cryptomap_dyn_20 permit ip any 10.0.0.128 255.255.255.128
    access-list outside_cryptomap_dyn_40 permit ip any 10.0.0.0 255.255.255.128
    access-list inside_access_in remark Allow_inside_to_DMZ
    access-list inside_access_in permit ip 192.168.0.0 255.255.0.0 172.16.0.64 255.255.255.240
    access-list inside_access_in permit ip 192.168.70.0 255.255.255.192 any
    access-list inside_access_in permit ip host 192.168.66.15 host 132.163.4.102
    access-list inside_access_in permit ip host 192.168.66.15 host 206.13.31.12
    access-list inside_access_in permit ip host 192.168.66.15 host 206.13.28.12
    access-list inside_access_in permit ip host 192.168.66.25 host 206.13.31.12
    access-list inside_access_in permit ip host 192.168.66.25 host 206.13.28.12
    access-list inside_access_in permit ip host 192.168.66.60 any
    access-list inside_access_in permit tcp host 192.168.70.85 host 63.78.220.211
    access-list inside_access_in permit tcp host 192.168.70.85 host 208.46.87.75
    access-list outside_access_in permit tcp any host 63.200.xx eq smtp
    access-list outside_access_in remark Web_Server
    access-list outside_access_in permit tcp any host 63.200.xx eq www
    syslog
    access-list outside_access_in remark ICMP_echo_replys_to_Inside_and_DMZ
    access-list outside_access_in permit icmp any any echo-reply
    access-list outside_access_in remark ICMP_unreachable_messages_to_Inside_and_DMZ
    access-list outside_access_in permit icmp any any unreachable
    access-list outside_access_in remark ICMP_exceeded_max_hops_to_Inside_and_DMZ
    access-list outside_access_in permit icmp any any time-exceeded
    access-list dmz_access_in remark Allow_DMZ_to_Internet
    access-list dmz_access_in permit ip xxx any
    access-list dmz_access_in remark Allow_DMZ_to_XXX
    access-list dmz_access_in permit ip XXX host 192.168.66.15
    access-list dmz_access_in remark Allow_DMZ_to_XXX
    access-list dmz_access_in permit ip XXX host 192.168.66.25
    access-list dmz_access_in remark Ports for Backup Exec agents in DMZ (temp for all ports)
    access-list dmz_access_in permit tcp XXX host XXXX
    access-list dmz_outbound_nat0_acl remark 11/29/2006 VNC from VPN to DMZ
    access-list dmz_outbound_nat0_acl permit ip XXX 10.0.0.128 255.255.255.128
    access-list dmz_outbound_nat0_acl remark 11/29/2006 VNC from VPN to DMZ
    access-list dmz_outbound_nat0_acl permit ip XXX 10.0.0.0 255.255.255.128
    pager lines 24
    logging on
    logging trap informational
    logging host inside 192.168.70.7
    mtu outside 1500
    mtu inside 1500
    mtu dmz 1500
    ip address outside XXX
    ip address inside 192.168.70.1 255.255.0.0
    ip address dmz XXX
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool apool 10.0.0.129-10.0.0.254
    ip local pool mpool 10.0.0.1-10.0.0.126
    pdm location 192.168.70.38 255.255.255.255 inside
    pdm location 192.168.70.2 255.255.255.255 inside
    pdm location 192.168.66.60 255.255.255.255 inside
    pdm location 192.168.66.0 255.255.255.0 inside
    pdm location 192.168.70.0 255.255.255.192 inside
    pdm location 192.168.66.15 255.255.255.255 inside
    pdm location 192.168.66.25 255.255.255.255 inside
    pdm location 172.16.0.66 255.255.255.255 dmz
    pdm location 192.168.70.51 255.255.255.255 inside
    pdm location 192.168.70.7 255.255.255.255 inside
    pdm location 192.168.70.85 255.255.255.255 inside
    pdm location 192.168.70.79 255.255.255.255 inside
    pdm location 192.168.70.55 255.255.255.255 inside
    pdm history enable
    arp timeout 14400
    global (outside) 10 interface
    global (dmz) 10 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 10 192.168.0.0 255.255.0.0 0 0
    nat (dmz) 0 access-list dmz_outbound_nat0_acl
    static (inside,dmz) 192.168.66.15 192.168.66.15 netmask 255.255.255.255 0 0
    static (inside,dmz) 192.168.66.25 192.168.66.25 netmask 255.255.255.255 0 0
    access-group outside_access_in in interface outside
    access-group inside_access_in in interface inside
    access-group dmz_access_in in interface dmz
    route outside 0.0.0.0 0.0.0.0
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication ssh console LOCAL
    ntp server xxx source outside
    http server enable
    http 192.168.70.38 255.255.255.255 inside
    http 192.168.70.2 255.255.255.255 inside
    http 192.168.70.55 255.255.255.255 inside
    snmp-server host inside 192.168.70.38
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    tftp-server inside 192.168.70.7 /pix/startup-config-20041029
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
    crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-MD5
    crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
    crypto dynamic-map outside_dyn_map 40 set transform-set ESP-3DES-MD5
    crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
    crypto map outside_map client authentication LOCAL
    crypto map outside_map interface outside
    isakmp enable outside
    isakmp nat-traversal 20
    isakmp policy 20 authentication pre-share
    isakmp policy 20 encryption 3des
    isakmp policy 20 hash md5
    isakmp policy 20 group 2
    isakmp policy 20 lifetime 86400
    vpngroup XX1es dns-server 192.168.66.15 192.168.66.25
    vpngroup XX1es wins-server 192.168.66.25
    vpngroup XX1es default-domain XXX
    vpngroup XX1es idle-time 1800
    vpngroup XX1es password ********
    telnet timeout 5
    ssh 10.0.0.0 255.255.255.128 outside
    ssh 192.168.70.38 255.255.255.255 inside
    ssh 192.168.70.2 255.255.255.255 inside
    ssh 192.168.70.55 255.255.255.255 inside
    ssh timeout 5
    management-access inside
    console timeout 0
    username XXX password /zBN/1n8NZZhe/Kd encrypted privilege 3
    terminal width 80
    Cryptochecksum:: end
    [OK]
     
    samirise, Oct 4, 2007
    #1
    1. Advertising

  2. samirise

    Greeley

    Joined:
    Dec 16, 2007
    Messages:
    67
    I am not sure I understand the question. Do you mean who can create a VPN against your network or who can go through the established VPN tunnel?
    No set peer address would cancel out some other network from making a vpn tunnel to your company.

    The ACL that defines interesting traffic to go across the VPN tunnel could be modified depending on if you only wanted certain inside hosts of the other network to have accessto the devices on the otherside of the tunnel.


    --G
     
    Greeley, Dec 16, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Franck
    Replies:
    5
    Views:
    566
    olivier.martin@gmail.com
    Jan 6, 2005
  2. Brian P.
    Replies:
    2
    Views:
    938
    Brian P.
    Mar 16, 2005
  3. [G]rumpy [O]ld [D]uffer

    Restrict access to Website by 'Sign-Up' webpage

    [G]rumpy [O]ld [D]uffer, Jun 22, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    2,359
    Blinky the Shark
    Jun 22, 2004
  4. *** JB

    Restrict access to folders

    *** JB, Sep 2, 2004, in forum: Computer Support
    Replies:
    1
    Views:
    491
    ┬░Mike┬░
    Sep 2, 2004
  5. sodethman@gmail.com

    Restrict access to Cisco device

    sodethman@gmail.com, Nov 7, 2006, in forum: Cisco
    Replies:
    3
    Views:
    598
    tippenring
    Nov 9, 2006
Loading...

Share This Page