Cisco VPN remote acccess user limiting


I have a user that tavels, he needs to connect to our network and synchronize data with one server only periodically.  i have created the remote user through the PDM wizard on our Cisco PIX 506e.  i have tested the connection and it works fine.  

The only thing i am not sure about it locking that remote vpn user to access only resources on our network that he needs which is a single IP address locally.  

How can I do this?  i was thinking about removing the primary DNS and WINS info so he can't resolve to anything else but I'm sure there is a better way.

Who is Participating?

Improve company productivity with a Business Account.Sign Up

rsivanandanConnect With a Mentor Commented:
Better way would be by modifying the 'nonat' access-list.

For the vpn to work, you would've created an access-list to prevent natting between your internal network and his vpn ip pool right ? For example if you internal network is and vpn address is, your access-list would be something like this;

access-list nonat permit ip
nat (inside) 0 access-list nonat

Modify it to the specific internal ip, call it, so;

access-list nonat permit ip host

Then add a host entry in the 'hosts' file for that person's laptop to resolve the netbios name of


dosleAuthor Commented:
ok, let me see if i understand what your saying here...

I am creating the vpn connection through the wizard.  So what i share below is the resulting lines from Cisco's vpn wizard.

here is the cryptomap that is associated with the IP Pool, which is only for the incoming vpn user.  the user is coming in to access

pix# show access-list outside_cryptomap_dyn_100
access-list outside_cryptomap_dyn_100 turbo-configured; 1 elements
access-list outside_cryptomap_dyn_100 line 1 permit ip any host (hitcnt=80)

so, i should create another ACL similar to the line you posted above?  

access-list nonat permit ip 'external.ip.of.PAT'
nat (inside) 3 access-list nonat
(nat 0-2 are already taken)
prueconsultingConnect With a Mentor Commented:
adjust the nat 0 line to be more restricive.

Nat 0 means do not nat which would push the traffic over the VPN.
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

If you had been authenticated against a Radius server you could push a custom ACL for each user by using custom radius attributes
No. You'll have to adjust the nat 0 itself, since that is the one which takes care of traffic for the vpn user. Do onething, just post the sanitized configuration of pix and we'll be able to dig more into it and come up with modifications.

dosleAuthor Commented:
I would have so much info to sanitize from the configuration.  Can you narrow down what might be helpful information?  The configuraion is huge.

I would still suggest posting the configuration if you didn't understand the above comment. Sanitize it and post it, since this configuration details are going to be all over the place (acls at the top, vpn config at the bottom etc)

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.