Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco VPN remote acccess user limiting

Posted on 2006-06-29
10
Medium Priority
?
406 Views
Last Modified: 2008-02-26
Hello,

I have a user that tavels, he needs to connect to our network and synchronize data with one server only periodically.  i have created the remote user through the PDM wizard on our Cisco PIX 506e.  i have tested the connection and it works fine.  

The only thing i am not sure about it locking that remote vpn user to access only resources on our network that he needs which is a single IP address locally.  

How can I do this?  i was thinking about removing the primary DNS and WINS info so he can't resolve to anything else but I'm sure there is a better way.

thanks
0
Comment
Question by:dosle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
10 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 17010054
Better way would be by modifying the 'nonat' access-list.

For the vpn to work, you would've created an access-list to prevent natting between your internal network and his vpn ip pool right ? For example if you internal network is 192.168.1.0 and vpn address is 10.0.0.0, your access-list would be something like this;

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
nat (inside) 0 access-list nonat

Modify it to the specific internal ip, call it 192.168.1.100, so;

access-list nonat permit ip host 192.168.1.100 10.0.0.0 255.0.0.0

Then add a host entry in the 'hosts' file for that person's laptop to resolve the netbios name of 192.168.1.100

Done.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:dosle
ID: 17012740
ok, let me see if i understand what your saying here...

I am creating the vpn connection through the wizard.  So what i share below is the resulting lines from Cisco's vpn wizard.

here is the cryptomap that is associated with the IP Pool, which is only 192.168.1.187 for the incoming vpn user.  the user is coming in to access 192.168.1.34

pix# show access-list outside_cryptomap_dyn_100
access-list outside_cryptomap_dyn_100 turbo-configured; 1 elements
access-list outside_cryptomap_dyn_100 line 1 permit ip any host 192.168.1.187 (hitcnt=80)


so, i should create another ACL similar to the line you posted above?  

i.e.
access-list nonat permit ip 192.168.1.0 255.255.255.0 'external.ip.of.PAT' 255.0.0.0
nat (inside) 3 access-list nonat
(nat 0-2 are already taken)
0
 
LVL 11

Assisted Solution

by:prueconsulting
prueconsulting earned 500 total points
ID: 17013082
adjust the nat 0 line to be more restricive.


Nat 0 means do not nat which would push the traffic over the VPN.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 11

Expert Comment

by:prueconsulting
ID: 17013088
If you had been authenticated against a Radius server you could push a custom ACL for each user by using custom radius attributes
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17015169
No. You'll have to adjust the nat 0 itself, since that is the one which takes care of traffic for the vpn user. Do onething, just post the sanitized configuration of pix and we'll be able to dig more into it and come up with modifications.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:dosle
ID: 17019863
I would have so much info to sanitize from the configuration.  Can you narrow down what might be helpful information?  The configuraion is huge.

thanks
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17019907
I would still suggest posting the configuration if you didn't understand the above comment. Sanitize it and post it, since this configuration details are going to be all over the place (acls at the top, vpn config at the bottom etc)

Cheers,
Rajesh
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Using Windows 2008 RRAS, I was able to successfully VPN into the network, but I was having problems restricting my test user from accessing certain things on the network.  I used Google in order to try to find out how to stop people from accessing c…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question