Question : Cisco VPN and Split Tunneling

Hi Everyone,
I have an issue with a new remtoe access Cisco VPN setup. It needs to be a pretty secure connection so I only want people on this VPN group to have access to certain ports. Below is a statement for my split tunnel acl and it works fine no problems.

extended permit ip host 192.168.100.2 10.254.254.0 255.255.255.0

but I want to lock it down so the VPN users on 10.254.254.0 can only have access to port 80 on 192.168.100.2 so when I remove the rule above and replace it with the following rule I can only longer access port 80

extended permit tcp host 192.168.100.2 10.254.254.0 255.255.255.0 eq 80

Can someone explain what I may be doing wrong in this case? I am usisng a 515 Pix on version 7.2

Answer : Cisco VPN and Split Tunneling

Another solution can be using vpn-filter:

access-list filter permit tcp 10.254.254.0 255.255.255.0 host 192.168.100.2 eq 80
access-list filter deny tcp 10.254.254.0 255.255.255.0 host 192.168.100.2
access-list filter permit ip any any

Assuming that u r using DfltGrpPolicy as the group-policy for remote-access:

group-policy DfltGrpPolicy attributes
vpn-filter filter

The advantage of using vpn-filter is that it will not even allow denied traffic to go to local network. Whereas, in the other method, only the reply from the local-network is denied. The local network will still be getting requests which is meant to be denied.

Random Solutions

Delphi variant array

How many squares are in this diagram?

Cocoa xcode simple startup (iPhone)

DMZ with single WAN IP on SonicWall TZ-200?

Running Access VBA on Open Office Base

Access 2010 VBA - determining which "Yes/No" boxes are checked on a continupus form

Editable dropdown list in ASP.net 3.5 using C#

can I use my hard drive with XP and data on it with a system with replaced motherboard ?

Operation Must Use an Updateable Query

Restarting a WPF application to apply updates