 |
|
|
 Welcome to the Virus.Org Mailing List Archive |
||
 |
||
|
||
|
You need to remove the command [sysopt connect permit-ipsec]. This tells the Pix to bypass all ACLs for traffic incoming from VPN tunnels. Instead, use an ACL on the interface where the VPN is terminated (outside in your case) to allow exactly the traffic you want. Keep in mind the command is global, and you'll need to define ACEs that allow all desired VPN traffic for all tunnels. -Shannon -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, April 24, 2003 11:20 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [VPN] Complete VPN access to all PIX interfaces I have a PIX 6.2 with 6 interfaces and VPN client 3.0. I have configured the firewall to permit a VPN connection using the following conf access-list 100 permit ip x.x.x.x 255.255.255.0 y.y.y.y 255.255.255.0 nat (dmz2) 0 access-list 100 sysopt connection permit-ipsec crypto ipsec transform-set myset esp-3des esmp-md5-hamc crypto dynamic-map dynmap 30 set transform-set myset crypto map newmap 20 ipsec-isakmp dynamic dynmap crypto map newmap interface outside * and the configuration of the vpngroup and isakmp The problem is that I only want the vpn client access my x.x.x.x network in dmz2 but the VPN client can access all the computers in the internal, dmz1, dmz3, etc (all the interfaces). Thanks in advance. _______________________________________ Jorge Mondaca Gerencia Seguridad Corporativa (591) 2-2313030 ext 2021 (591) 72029832 _______________________________________________ VPN mailing list [EMAIL PROTECTED] http://lists.shmoo.com/mailman/listinfo/vpn _______________________________________________ VPN mailing list [EMAIL PROTECTED] http://lists.shmoo.com/mailman/listinfo/vpn
|
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.