I have a Cisco PIX506E connecting our 3 other facilities via VPN all is fine - we have the need to create a VPN connection with one of our Clients but they will be using different isakmp policies and transform sets - can I connect to this client as well as keep our existing facilities working ?? I also would not want our client to be able to browse around our network ...
Yes, no problem. Transform sets are configured at the same level that you configure peer and ACL to match. For the isakmp policy, just add another policy with a higher policy number.
If you currently have sysopt connection permit-ipsec configured, you will have to turn that off, and when you do so you will have to configure your access-list attached to your outside interface (access-group) to permit the existing VPN traffic.
Then for the new client, you would add to your outside interface access-list -only-:
- necessary IP traffic from the new client -other- than TCP, UDP, and ICMP
- ICMP time-exceeded and unreachable and possibly echo-reply
- replying UDP traffic from the client that might be delayed by more than 2 minutes (e.g., some Exchange flows), and UDP traffic they are authorized to initiate to you (e.g., WINS, DNS, perhaps NETBIOS). Allow as little UDP traffic in as you can get away with.
Do -not- allow any TCP connections from the client, not unless they are authorized to use some server of yours. [Note: some forms of DNS can require TCP, but a lot of the time you can get away with just UDP for DNS.]
If you leave permit-ipsec configured, then you would need to work hard on your crypto map match-address ACL, and will probably find it too messy to get the controls you want, at least without having the PIX complain. PIX 6.2 does not allow you to specify your crypto map ACL right down to the port level; PIX 6.3 does, but you would probably have to use at least the
3.6 VPN client (there are some combinations of OS's and configurations for which people still use 3.0; there have been a series of problems with the 4.0 client.)