Solved

Limiting VPN Client access to only one server

Posted on 2004-09-22
3
154 Views
Last Modified: 2011-09-20
I am having moments of clarity but they are too few and too far between.

Two different types of people will be using the VPN.  VPNGroup blah needs access to everything.  VPNGroup stl should be limited to accessing only one server--10.5.5.137.  I don't want to use split-tunnel.

Here is a portion of my firewall configuration:

access-list 102 permit ip 10.5.5.0 255.255.255.0 10.5.6.0 255.255.255.240
ip local pool vpnpool 10.5.6.1-10.5.6.15
ip local pool stlpool 10.5.9.1-10.5.9.3
nat (inside) 0 access-list 102
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set trmset1
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup blah address-pool vpnpool
vpngroup blah dns-server 10.5.5.136
vpngroup blah default-domain blah.org
vpngroup blah idle-time 1800
vpngroup blah password ********
vpngroup stl address-pool stlpool
vpngroup stl dns-server 10.5.5.136
vpngroup stl default-domain blah.org
vpngroup stl idle-time 1800
vpngroup stl password ********

access-list 102 permit ip host 10.5.5.137 10.5.9.0 255.255.255.252
Will adding the above command limit access from the stl vpngroup to only the server at 10.5.5.137?
If I understand what I have been reading, I will not be able to limit traffic based on the port.  Is that correct?  Something about nat 0 ignoring any port parameters.

I just got the free 3des license installed and am wondering if I incorporated it into my config correctly.  I just changed the references to "des" to "3des"  is that the correct way?

Thanks as always.
0
Comment
Question by:averyb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 350 total points
ID: 12127316
Looks like you're more lucid than you feel like you are..
DES to 3DES looks like you're all set.

Very creative use of multiple vpngroups and address pools. It appears that it just might work!
You are correct that nat0 will not support specific ports.

One alternative is to use a Radius server that will apply access-list restrictions on a login ...
But I like the simple aproach that you're taking.
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 150 total points
ID: 12134284
Downloadable access-lists using RADIUS would be more manageable if you have lots of these to do - grblades' article should do the trick:

http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html

0
 
LVL 4

Author Comment

by:averyb
ID: 12162583
Thanks for the verification on the configuration.  I was able to to do some testing add it appears to work as intended.  I'll look into using RADIUS.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASA 5505 NAT question 8 126
GPR - Cannot telnet 15 90
Probable TCP NULL scan detected 10 413
Is my Machine open to hackers 3 123
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question