Solved

Cisco VPN remote acccess user limiting

Posted on 2006-06-29
10
404 Views
Last Modified: 2008-02-26
Hello,

I have a user that tavels, he needs to connect to our network and synchronize data with one server only periodically.  i have created the remote user through the PDM wizard on our Cisco PIX 506e.  i have tested the connection and it works fine.  

The only thing i am not sure about it locking that remote vpn user to access only resources on our network that he needs which is a single IP address locally.  

How can I do this?  i was thinking about removing the primary DNS and WINS info so he can't resolve to anything else but I'm sure there is a better way.

thanks
0
Comment
Question by:dosle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
10 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 125 total points
ID: 17010054
Better way would be by modifying the 'nonat' access-list.

For the vpn to work, you would've created an access-list to prevent natting between your internal network and his vpn ip pool right ? For example if you internal network is 192.168.1.0 and vpn address is 10.0.0.0, your access-list would be something like this;

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
nat (inside) 0 access-list nonat

Modify it to the specific internal ip, call it 192.168.1.100, so;

access-list nonat permit ip host 192.168.1.100 10.0.0.0 255.0.0.0

Then add a host entry in the 'hosts' file for that person's laptop to resolve the netbios name of 192.168.1.100

Done.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:dosle
ID: 17012740
ok, let me see if i understand what your saying here...

I am creating the vpn connection through the wizard.  So what i share below is the resulting lines from Cisco's vpn wizard.

here is the cryptomap that is associated with the IP Pool, which is only 192.168.1.187 for the incoming vpn user.  the user is coming in to access 192.168.1.34

pix# show access-list outside_cryptomap_dyn_100
access-list outside_cryptomap_dyn_100 turbo-configured; 1 elements
access-list outside_cryptomap_dyn_100 line 1 permit ip any host 192.168.1.187 (hitcnt=80)


so, i should create another ACL similar to the line you posted above?  

i.e.
access-list nonat permit ip 192.168.1.0 255.255.255.0 'external.ip.of.PAT' 255.0.0.0
nat (inside) 3 access-list nonat
(nat 0-2 are already taken)
0
 
LVL 11

Assisted Solution

by:prueconsulting
prueconsulting earned 125 total points
ID: 17013082
adjust the nat 0 line to be more restricive.


Nat 0 means do not nat which would push the traffic over the VPN.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 11

Expert Comment

by:prueconsulting
ID: 17013088
If you had been authenticated against a Radius server you could push a custom ACL for each user by using custom radius attributes
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17015169
No. You'll have to adjust the nat 0 itself, since that is the one which takes care of traffic for the vpn user. Do onething, just post the sanitized configuration of pix and we'll be able to dig more into it and come up with modifications.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:dosle
ID: 17019863
I would have so much info to sanitize from the configuration.  Can you narrow down what might be helpful information?  The configuraion is huge.

thanks
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17019907
I would still suggest posting the configuration if you didn't understand the above comment. Sanitize it and post it, since this configuration details are going to be all over the place (acls at the top, vpn config at the bottom etc)

Cheers,
Rajesh
0

Featured Post

Webinar May 25: Cloud Security Strategies for SMBs

Small and mid-sized businesses are a driving force behind cloud adoption, and it’s no wonder: cloud benefits are BIG.  But for all the convenience that moving to the cloud provides, where does security come into play?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Adding VPN user with Cisco RV110W changes IP address 7 89
auto connect vpn 17 74
Problems with VPN 4 61
VPN - Site to Site  not decapsulating (ASA-Sophos XG85) 1 33
Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question