Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Limiting VPN Client access to only one server

Posted on 2004-09-22
3
Medium Priority
?
156 Views
Last Modified: 2011-09-20
I am having moments of clarity but they are too few and too far between.

Two different types of people will be using the VPN.  VPNGroup blah needs access to everything.  VPNGroup stl should be limited to accessing only one server--10.5.5.137.  I don't want to use split-tunnel.

Here is a portion of my firewall configuration:

access-list 102 permit ip 10.5.5.0 255.255.255.0 10.5.6.0 255.255.255.240
ip local pool vpnpool 10.5.6.1-10.5.6.15
ip local pool stlpool 10.5.9.1-10.5.9.3
nat (inside) 0 access-list 102
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set trmset1
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup blah address-pool vpnpool
vpngroup blah dns-server 10.5.5.136
vpngroup blah default-domain blah.org
vpngroup blah idle-time 1800
vpngroup blah password ********
vpngroup stl address-pool stlpool
vpngroup stl dns-server 10.5.5.136
vpngroup stl default-domain blah.org
vpngroup stl idle-time 1800
vpngroup stl password ********

access-list 102 permit ip host 10.5.5.137 10.5.9.0 255.255.255.252
Will adding the above command limit access from the stl vpngroup to only the server at 10.5.5.137?
If I understand what I have been reading, I will not be able to limit traffic based on the port.  Is that correct?  Something about nat 0 ignoring any port parameters.

I just got the free 3des license installed and am wondering if I incorporated it into my config correctly.  I just changed the references to "des" to "3des"  is that the correct way?

Thanks as always.
0
Comment
Question by:averyb
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 1400 total points
ID: 12127316
Looks like you're more lucid than you feel like you are..
DES to 3DES looks like you're all set.

Very creative use of multiple vpngroups and address pools. It appears that it just might work!
You are correct that nat0 will not support specific ports.

One alternative is to use a Radius server that will apply access-list restrictions on a login ...
But I like the simple aproach that you're taking.
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 600 total points
ID: 12134284
Downloadable access-lists using RADIUS would be more manageable if you have lots of these to do - grblades' article should do the trick:

http://www.gbnetwork.co.uk/networking/ciscopixvpnradius.html

0
 
LVL 4

Author Comment

by:averyb
ID: 12162583
Thanks for the verification on the configuration.  I was able to to do some testing add it appears to work as intended.  I'll look into using RADIUS.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
In response to a need for security and privacy, and to continue fostering an environment members can turn to for support, solutions, and education, Experts Exchange has created anonymous question capabilities. This new feature is available to our Pr…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question