Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

cisco vpn filter rules for limiting traffic

Posted on 2004-04-09
1
Medium Priority
?
571 Views
Last Modified: 2008-02-01
I have a vpn3005 and I need to limit a group of dialin users (ip's 192.168.2.0) who use the Cisco vpn software client to ONLY access one server (192.168.1.20) in the vpn network and ONLY email traffic to that exchange server.  I know I will will need to permit traffic on ports 139, 137 etc  and then make exchange traffic ports static for connecting to the exchange server, but first I want to make sure I can successfully limit users traffic on the vpn.  

I can successfully limit these users to the single ip address by using the filters in Config/Policy Management/Traffic Management/Rules area with the rules below, but can't seem to limit to any one or more ports/protocols.  I tried testing by limiting the dialin user to smtp (port 25) and and testing with 'telnet 192.168.1.20 25' but whenever I choose anything other than 'any' in the protocol selection like TCP for the 'permit'/forward rule it allows no access at all.    Then I tried adding 2 more rules one with TCP and one with UDP both with port 25 in the source and destination ports, thinking I needed to permit both TCP and UDP but no success.  What are the rules I need to accomplish this?  

Rule1 and Rule2 are associated with the DialUsers filter as follows:
- <FilterRule>
  <name>Rule1</name>
  <direction>inbound</direction>
  <action>forward</action>
  <protocol>any</protocol>
  <src_ipaddr>192.168.2.0</src_ipaddr>
  <src_mask>255.255.255.255</src_mask>
  <dst_ipaddr>192.168.1.20</dst_ipaddr>
  <dst_mask>0.0.0.0</dst_mask>
  </FilterRule>

- <FilterRule>
  <name>Rule2</name>
  <direction>inbound</direction>
  <action>drop</action>
  <protocol>any</protocol>
  <src_ipaddr>0.0.0.0</src_ipaddr>
  <src_mask>255.255.255.255</src_mask>
  <dst_ipaddr>0.0.0.0</dst_ipaddr>
  <dst_mask>255.255.255.255</dst_mask>
  </FilterRule>

- <Filter>
  <name>DialUsers</name>
  <default_action>forward</default_action>
  <allow_source_route>false</allow_source_route>
  <allow_fragments>true</allow_fragments>
  <desc>Allow users only email access </desc>
- <rule_list>
  <rule>Rule1</rule>
  <sa />
  <rule>Rule2</rule>
  <sa />
  </rule_list>
  </Filter>
0
Comment
Question by:thefumbler
1 Comment
 
LVL 23

Accepted Solution

by:
Tim Holman earned 2000 total points
ID: 10868033
You need an inbound rule:

Name - SMTP 192.168.1.20 In
Inbound
Forward
TCP
Don't care
Source - DialIn Users
Destination - 192.168.1.20
Source port - range  0-65535
Dst port - 25

and an outboud rule:

Name - SMTP 192.168.1.20 Out
Outbound
Forward
TCP
Don't care
Source - 192.168.1.20
Destination - DialIn Users
Source port - 25
Dst port - range 0-65535

Apply these to the filter, and hey presto, things should start kicking in.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question