Solved

Cisco VPN remote acccess user limiting

Posted on 2006-06-29
10
400 Views
Last Modified: 2008-02-26
Hello,

I have a user that tavels, he needs to connect to our network and synchronize data with one server only periodically.  i have created the remote user through the PDM wizard on our Cisco PIX 506e.  i have tested the connection and it works fine.  

The only thing i am not sure about it locking that remote vpn user to access only resources on our network that he needs which is a single IP address locally.  

How can I do this?  i was thinking about removing the primary DNS and WINS info so he can't resolve to anything else but I'm sure there is a better way.

thanks
0
Comment
Question by:dosle
  • 3
  • 2
  • 2
10 Comments
 
LVL 32

Accepted Solution

by:
rsivanandan earned 125 total points
ID: 17010054
Better way would be by modifying the 'nonat' access-list.

For the vpn to work, you would've created an access-list to prevent natting between your internal network and his vpn ip pool right ? For example if you internal network is 192.168.1.0 and vpn address is 10.0.0.0, your access-list would be something like this;

access-list nonat permit ip 192.168.1.0 255.255.255.0 10.0.0.0 255.0.0.0
nat (inside) 0 access-list nonat

Modify it to the specific internal ip, call it 192.168.1.100, so;

access-list nonat permit ip host 192.168.1.100 10.0.0.0 255.0.0.0

Then add a host entry in the 'hosts' file for that person's laptop to resolve the netbios name of 192.168.1.100

Done.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:dosle
ID: 17012740
ok, let me see if i understand what your saying here...

I am creating the vpn connection through the wizard.  So what i share below is the resulting lines from Cisco's vpn wizard.

here is the cryptomap that is associated with the IP Pool, which is only 192.168.1.187 for the incoming vpn user.  the user is coming in to access 192.168.1.34

pix# show access-list outside_cryptomap_dyn_100
access-list outside_cryptomap_dyn_100 turbo-configured; 1 elements
access-list outside_cryptomap_dyn_100 line 1 permit ip any host 192.168.1.187 (hitcnt=80)


so, i should create another ACL similar to the line you posted above?  

i.e.
access-list nonat permit ip 192.168.1.0 255.255.255.0 'external.ip.of.PAT' 255.0.0.0
nat (inside) 3 access-list nonat
(nat 0-2 are already taken)
0
 
LVL 11

Assisted Solution

by:prueconsulting
prueconsulting earned 125 total points
ID: 17013082
adjust the nat 0 line to be more restricive.


Nat 0 means do not nat which would push the traffic over the VPN.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 11

Expert Comment

by:prueconsulting
ID: 17013088
If you had been authenticated against a Radius server you could push a custom ACL for each user by using custom radius attributes
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17015169
No. You'll have to adjust the nat 0 itself, since that is the one which takes care of traffic for the vpn user. Do onething, just post the sanitized configuration of pix and we'll be able to dig more into it and come up with modifications.

Cheers,
Rajesh
0
 
LVL 1

Author Comment

by:dosle
ID: 17019863
I would have so much info to sanitize from the configuration.  Can you narrow down what might be helpful information?  The configuraion is huge.

thanks
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17019907
I would still suggest posting the configuration if you didn't understand the above comment. Sanitize it and post it, since this configuration details are going to be all over the place (acls at the top, vpn config at the bottom etc)

Cheers,
Rajesh
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now