thefumbler
asked on
cisco vpn filter rules for limiting traffic
I have a vpn3005 and I need to limit a group of dialin users (ip's 192.168.2.0) who use the Cisco vpn software client to ONLY access one server (192.168.1.20) in the vpn network and ONLY email traffic to that exchange server. I know I will will need to permit traffic on ports 139, 137 etc and then make exchange traffic ports static for connecting to the exchange server, but first I want to make sure I can successfully limit users traffic on the vpn.
I can successfully limit these users to the single ip address by using the filters in Config/Policy Management/Traffic Management/Rules area with the rules below, but can't seem to limit to any one or more ports/protocols. I tried testing by limiting the dialin user to smtp (port 25) and and testing with 'telnet 192.168.1.20 25' but whenever I choose anything other than 'any' in the protocol selection like TCP for the 'permit'/forward rule it allows no access at all. Then I tried adding 2 more rules one with TCP and one with UDP both with port 25 in the source and destination ports, thinking I needed to permit both TCP and UDP but no success. What are the rules I need to accomplish this?
Rule1 and Rule2 are associated with the DialUsers filter as follows:
- <FilterRule>
<name>Rule1</name>
<direction>inbound</direct ion>
<action>forward</action>
<protocol>any</protocol>
<src_ipaddr>192.168.2.0</s rc_ipaddr>
<src_mask>255.255.255.255< /src_mask>
<dst_ipaddr>192.168.1.20</ dst_ipaddr >
<dst_mask>0.0.0.0</dst_mas k>
</FilterRule>
- <FilterRule>
<name>Rule2</name>
<direction>inbound</direct ion>
<action>drop</action>
<protocol>any</protocol>
<src_ipaddr>0.0.0.0</src_i paddr>
<src_mask>255.255.255.255< /src_mask>
<dst_ipaddr>0.0.0.0</dst_i paddr>
<dst_mask>255.255.255.255< /dst_mask>
</FilterRule>
- <Filter>
<name>DialUsers</name>
<default_action>forward</d efault_act ion>
<allow_source_route>false< /allow_sou rce_route>
<allow_fragments>true</all ow_fragmen ts>
<desc>Allow users only email access </desc>
- <rule_list>
<rule>Rule1</rule>
<sa />
<rule>Rule2</rule>
<sa />
</rule_list>
</Filter>
I can successfully limit these users to the single ip address by using the filters in Config/Policy Management/Traffic Management/Rules area with the rules below, but can't seem to limit to any one or more ports/protocols. I tried testing by limiting the dialin user to smtp (port 25) and and testing with 'telnet 192.168.1.20 25' but whenever I choose anything other than 'any' in the protocol selection like TCP for the 'permit'/forward rule it allows no access at all. Then I tried adding 2 more rules one with TCP and one with UDP both with port 25 in the source and destination ports, thinking I needed to permit both TCP and UDP but no success. What are the rules I need to accomplish this?
Rule1 and Rule2 are associated with the DialUsers filter as follows:
- <FilterRule>
<name>Rule1</name>
<direction>inbound</direct
<action>forward</action>
<protocol>any</protocol>
<src_ipaddr>192.168.2.0</s
<src_mask>255.255.255.255<
<dst_ipaddr>192.168.1.20</
<dst_mask>0.0.0.0</dst_mas
</FilterRule>
- <FilterRule>
<name>Rule2</name>
<direction>inbound</direct
<action>drop</action>
<protocol>any</protocol>
<src_ipaddr>0.0.0.0</src_i
<src_mask>255.255.255.255<
<dst_ipaddr>0.0.0.0</dst_i
<dst_mask>255.255.255.255<
</FilterRule>
- <Filter>
<name>DialUsers</name>
<default_action>forward</d
<allow_source_route>false<
<allow_fragments>true</all
<desc>Allow users only email access </desc>
- <rule_list>
<rule>Rule1</rule>
<sa />
<rule>Rule2</rule>
<sa />
</rule_list>
</Filter>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.