Limiting VPN Access to only a small section of the network

How Can I limit VPN Access to a small section of my network, in fact I just want users coming in on VPN to access just one machine once they gain entrance into the network.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

gabesoSolution ArchitectCommented:
A good way of doing this is to use a firewall to block incoming packets that aren't for the permitted machine. It depends on the network you have: A firewall would need to be present after the VPN box to do this as they would have to be authenticated first but then any attempt to contact other hosts would be intercepted and blocked.

Christian_AgardAuthor Commented:
I use ISA2000, and the VPN client from ISA2000.
I created a testusername and it can connect via the VPN, but I saw no where on the Firewall to limit the connection to one machine.

Any ideas?
gabesoSolution ArchitectCommented:
I was thinking more of a separate firewall device - it's more secure and easier to configure.

However if you are working with the Microsoft setup that you have... is it not possible to use Active Directory to deny these users access to any of these hosts - something like create a group for all of the vpn users and then make sure that they are only allowed access to the permitted host and denied access to others?
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

What VPN are you using? Microsoft? Cisco? etc? On some VPN setups, you can define the destination network. You can enter a subnet mask of to limit their connection to one IP.
I agree with gabeso that an actual external firewall device(such as a Sonicwall) would be your best bet. Such devices often allow you to determine which segment of the network you would like the VPN to 'terminate' upon. In other words you will have multiple IP ranges(subnets), and the VPN will stop there(it can be a single machine). On a device like the Sonicwall, there are multiple NIC ports(LAN, WAN, DMZ) each with thier own MAC addresses that can be bound to a particular subnet or 'zone'. The VPN will terminate at said zone, and Window Networking(NETBIOS) will not show any other machines, shared drives, etc. except the ones in that zone.
If that is not an option, for cost or other reasons, simply make sure that all other computers shared resources, like mapped drives, are secured by the appropriate Active Directory user permissions. Then if the user looks at the 'Entire Network' he will be able to see the friendly 'NETBIOS' names, but should be unable to access any sensitive resources.
What type of VPN/OS are you using??? As Victonegri suggested there are often parameters with in the Remote Access Server that allow you to control the Destination Network. In WS 2003 go to Manage My Server, click on manage this RAS/VPN server link, go to Remote Access policies and choose Properties on your VPN. Then under the IP tab is an IP filter that will allow you restrict the types of packets sent and received. This should allow you to prevent the VPN client from viewing protected network devices.
I hope this was helpful!!! I am a network admin for a company in NC, and am new to this site and look forward to sharing my knowledge and learning as much as I can from the many skilled experts here!!!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
As mentioned by 1 UP, I have a VPN set up for one of my clients using a Sonicwall TZ170 that allows me to limit the users based on IP address and Port. I currently have multiple users that are only allowed to access the Exchange port on our Exchange server and nothing else. If you're willing to shell out some $$$, the TZ170 with the enhanced OS is a good way to go.
Hey thanks guys!!! I am very glad to have been able to participate and I very much appreciate the generous points awarded...hope to see you all again soon.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.