Problem solve Get help with specific problems with your technologies, process and projects.

How to restrict traffic between the VPN server and remote Cisco clients

Setting up a VPN tunnel between a Cisco PIX server and remote clients does not always go smoothly. In this expert Q&A, Mike Chapple reviews how careful management of commands and access control lists can successfully restrict user access.

I have recently set up a VPN tunnel between a Cisco PIX 506E (VPN server) and remote clients. Right now, the remote clients have full access to the private network, but I want them to only have access to a specific application. On the Cisco PIX there's also a site-to-site VPN tunnel setup. From what I understand, the command "sysopt connection permit-ipsec," permits IPsec traffic to pass through the PIX firewall without a check of access list command statements. Is it possible to just permit one type of traffic (protocol) to flow between the VPN server and the remote Cisco clients?

You've actually identified your issue in your question. You have the "sysopt connection permit-ipsec" command in your configuration. This automatically allows VPN traffic into the internal network without filtering. If you want to apply specific port filters to the tunnel, disable the command and apply an access control list to the appropriate PIX interface. Granted, it's not the easiest thing to configure on a PIX, but it's technically possible.

Dig Deeper on Integrating security into networks

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.