asked on
Access-lists VPN
I have a vpn group all set up, and it allows full access from the vpn client to my internal network. I now want to limit the access to internal resources for this VPN.
The VPN group is called PMVPN and there is a rule in access list 101:
access-list 101 permit tcp 172.19.2.0 255.255.255.0 interface inside log
I've created a second access list called vpn2 that sets the limits to where I want the clients to go on my internal network.
How do I create the access group for PMVPN to use the vpn2 access group, and do I need to get rid of the rule in list 101 or change it?
Thanks!
Scott
The VPN group is called PMVPN and there is a rule in access list 101:
access-list 101 permit tcp 172.19.2.0 255.255.255.0 interface inside log
I've created a second access list called vpn2 that sets the limits to where I want the clients to go on my internal network.
How do I create the access group for PMVPN to use the vpn2 access group, and do I need to get rid of the rule in list 101 or change it?
Thanks!
Scott
CiscoVPN
Last Comment
clearacid
ASKER
I already created the alternate access list... it's vpn2... now I just need to know how do I attach it to the range of ip addresses...
ip local pool VPNPOOL 192.168.100.1-192.168.100.
tunnel-group PMVPN general-attributes
address-pool VPNPOOL
dns-server value <ip address of our internal DNS server> (optional)
wins-server value <ip address of your internal WINS server> (optional)
Your VPN DHCP IP POOL network should be different from your LAN. This will avoid later unexpected problems - also provides a little more layer of control.
tunnel-group PMVPN general-attributes
address-pool VPNPOOL
dns-server value <ip address of our internal DNS server> (optional)
wins-server value <ip address of your internal WINS server> (optional)
Your VPN DHCP IP POOL network should be different from your LAN. This will avoid later unexpected problems - also provides a little more layer of control.
ASKER
clearacid,
the group is already set up, I meant to say how do I attach an access list to it. You can have multiple access lists for the pix, but can only attach one to the interface for the external port. So can you attach an access list to a vpn group?
Thanks!
the group is already set up, I meant to say how do I attach an access list to it. You can have multiple access lists for the pix, but can only attach one to the interface for the external port. So can you attach an access list to a vpn group?
Thanks!
If you assigned the VPN Pool a different ip range from the inside network - you can apply the ACL to your inside_access_in ACL.
Say - your VPN pool is 10.10.10.0/24 and only want to allow smb xfers via tcp 445.
You create an ACL like:
access-list inside_access_in exten permit tcp 10.10.10.0/24 eq 445
Everything else would be blocked.
Say - your VPN pool is 10.10.10.0/24 and only want to allow smb xfers via tcp 445.
You create an ACL like:
access-list inside_access_in exten permit tcp 10.10.10.0/24 eq 445
Everything else would be blocked.
ASKER
Clear acid, this would be in addtion to the internal access list I already have right? I'm adding it to that list?
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
If via radius, you could use cisco-av pairs to limit access to resources based on group membership of the authenticating user.
If you are using local database, you would need to create an alternate access list in which you define what resources/ips individuals connected through this VPN are allowed.
Not sure whether you have to detach the group-access prior to altering the access list. But to be safe, it is better to remove the rule from being used, alter it and then reenable it.
While it might be convenient to use the same rule in different places, setting up individual access list for different items might be better in the long run.