Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Cisco VPN remote acccess user limiting

Posted on 2006-06-29
10
Medium Priority
?
407 Views
Last Modified: 2008-02-26
Hello,

I have a user that tavels, he needs to connect to our network and synchronize data with one server only periodically.  i have created the remote user through the PDM wizard on our Cisco PIX 506e.  i have tested the connection and it works fine.  

The only thing i am not sure about it locking that remote vpn user to access only resources on our network that he needs which is a single IP address locally.  

How can I do this?  i was thinking about removing the primary DNS and WINS info so he can't resolve to anything else but I'm sure there is a better way.

thanks
0
Comment
Question by:dosle
  • 3
  • 2
  • 2
10 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 17010054
Better way would be by modifying the 'nonat' access-list.

For the vpn to work, you would've created an access-list to prevent natting between your internal network and his vpn ip pool right ? For example if you internal network is 192.168.1.0 and vpn address is 10.0.0.0, your access-list would be something like this;

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
nat (inside) 0 access-list nonat

Modify it to the specific internal ip, call it 192.168.1.100, so;

access-list nonat permit ip host 192.168.1.100 10.0.0.0 255.0.0.0

Then add a host entry in the 'hosts' file for that person's laptop to resolve the netbios name of 192.168.1.100

Done.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:dosle
ID: 17012740
ok, let me see if i understand what your saying here...

I am creating the vpn connection through the wizard.  So what i share below is the resulting lines from Cisco's vpn wizard.

here is the cryptomap that is associated with the IP Pool, which is only 192.168.1.187 for the incoming vpn user.  the user is coming in to access 192.168.1.34

pix# show access-list outside_cryptomap_dyn_100
access-list outside_cryptomap_dyn_100 turbo-configured; 1 elements
access-list outside_cryptomap_dyn_100 line 1 permit ip any host 192.168.1.187 (hitcnt=80)


so, i should create another ACL similar to the line you posted above?  

i.e.
access-list nonat permit ip 192.168.1.0 255.255.255.0 'external.ip.of.PAT' 255.0.0.0
nat (inside) 3 access-list nonat
(nat 0-2 are already taken)
0
 
LVL 11

Assisted Solution

by:prueconsulting
prueconsulting earned 500 total points
ID: 17013082
adjust the nat 0 line to be more restricive.


Nat 0 means do not nat which would push the traffic over the VPN.
0
WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

 
LVL 11

Expert Comment

by:prueconsulting
ID: 17013088
If you had been authenticated against a Radius server you could push a custom ACL for each user by using custom radius attributes
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17015169
No. You'll have to adjust the nat 0 itself, since that is the one which takes care of traffic for the vpn user. Do onething, just post the sanitized configuration of pix and we'll be able to dig more into it and come up with modifications.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:dosle
ID: 17019863
I would have so much info to sanitize from the configuration.  Can you narrow down what might be helpful information?  The configuraion is huge.

thanks
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17019907
I would still suggest posting the configuration if you didn't understand the above comment. Sanitize it and post it, since this configuration details are going to be all over the place (acls at the top, vpn config at the bottom etc)

Cheers,
Rajesh
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question