Solved

Cisco VPN remote acccess user limiting

Posted on 2006-06-29
10
405 Views
Last Modified: 2008-02-26
Hello,

I have a user that tavels, he needs to connect to our network and synchronize data with one server only periodically.  i have created the remote user through the PDM wizard on our Cisco PIX 506e.  i have tested the connection and it works fine.  

The only thing i am not sure about it locking that remote vpn user to access only resources on our network that he needs which is a single IP address locally.  

How can I do this?  i was thinking about removing the primary DNS and WINS info so he can't resolve to anything else but I'm sure there is a better way.

thanks
0
Comment
Question by:dosle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
10 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 125 total points
ID: 17010054
Better way would be by modifying the 'nonat' access-list.

For the vpn to work, you would've created an access-list to prevent natting between your internal network and his vpn ip pool right ? For example if you internal network is 192.168.1.0 and vpn address is 10.0.0.0, your access-list would be something like this;

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
nat (inside) 0 access-list nonat

Modify it to the specific internal ip, call it 192.168.1.100, so;

access-list nonat permit ip host 192.168.1.100 10.0.0.0 255.0.0.0

Then add a host entry in the 'hosts' file for that person's laptop to resolve the netbios name of 192.168.1.100

Done.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:dosle
ID: 17012740
ok, let me see if i understand what your saying here...

I am creating the vpn connection through the wizard.  So what i share below is the resulting lines from Cisco's vpn wizard.

here is the cryptomap that is associated with the IP Pool, which is only 192.168.1.187 for the incoming vpn user.  the user is coming in to access 192.168.1.34

pix# show access-list outside_cryptomap_dyn_100
access-list outside_cryptomap_dyn_100 turbo-configured; 1 elements
access-list outside_cryptomap_dyn_100 line 1 permit ip any host 192.168.1.187 (hitcnt=80)


so, i should create another ACL similar to the line you posted above?  

i.e.
access-list nonat permit ip 192.168.1.0 255.255.255.0 'external.ip.of.PAT' 255.0.0.0
nat (inside) 3 access-list nonat
(nat 0-2 are already taken)
0
 
LVL 11

Assisted Solution

by:prueconsulting
prueconsulting earned 125 total points
ID: 17013082
adjust the nat 0 line to be more restricive.


Nat 0 means do not nat which would push the traffic over the VPN.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 11

Expert Comment

by:prueconsulting
ID: 17013088
If you had been authenticated against a Radius server you could push a custom ACL for each user by using custom radius attributes
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17015169
No. You'll have to adjust the nat 0 itself, since that is the one which takes care of traffic for the vpn user. Do onething, just post the sanitized configuration of pix and we'll be able to dig more into it and come up with modifications.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:dosle
ID: 17019863
I would have so much info to sanitize from the configuration.  Can you narrow down what might be helpful information?  The configuraion is huge.

thanks
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17019907
I would still suggest posting the configuration if you didn't understand the above comment. Sanitize it and post it, since this configuration details are going to be all over the place (acls at the top, vpn config at the bottom etc)

Cheers,
Rajesh
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question