Limiting VPN Client access to only one server
Posted on 2004-09-22
I am having moments of clarity but they are too few and too far between.
Two different types of people will be using the VPN. VPNGroup blah needs access to everything. VPNGroup stl should be limited to accessing only one server--10.5.5.137. I don't want to use split-tunnel.
Here is a portion of my firewall configuration:
access-list 102 permit ip 10.5.5.0 255.255.255.0 10.5.6.0 255.255.255.240
ip local pool vpnpool 10.5.6.1-10.5.6.15
ip local pool stlpool 10.5.9.1-10.5.9.3
nat (inside) 0 access-list 102
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set trmset1
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup blah address-pool vpnpool
vpngroup blah dns-server 10.5.5.136
vpngroup blah default-domain blah.org
vpngroup blah idle-time 1800
vpngroup blah password ********
vpngroup stl address-pool stlpool
vpngroup stl dns-server 10.5.5.136
vpngroup stl default-domain blah.org
vpngroup stl idle-time 1800
vpngroup stl password ********
access-list 102 permit ip host 10.5.5.137 10.5.9.0 255.255.255.252
Will adding the above command limit access from the stl vpngroup to only the server at 10.5.5.137?
If I understand what I have been reading, I will not be able to limit traffic based on the port. Is that correct? Something about nat 0 ignoring any port parameters.
I just got the free 3des license installed and am wondering if I incorporated it into my config correctly. I just changed the references to "des" to "3des" is that the correct way?
Thanks as always.