Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 349
  • Last Modified:

Cisco VPN Concentrator 3060, and user access after connected to VPN

I have a cisco VPN concentrator 3060 that my users use for remote access.  When users connect through the cisco vpn client, they get an ip address in the 10.6.0.0/16 network.  This is a DHCP pool I have set up on the concentrator.  I have several groups configured on this concentrator.  Right now I am in some sort of a bind.  I created a new group, but I need them to only have access to one server which is 10.6.0.123/16 when they connect.   I don't want them to even be able to ping anything else in this network but 10.6.0.123, which is the server they need to access when connected to the VPN.    Is there a configuration setting n the group where I can specify this?  Any assistance would be greatly appreciated.  Thanks.
0
denver218
Asked:
denver218
  • 2
  • 2
1 Solution
 
mikegattiCommented:
Your solution here is to use a network list (Split Tunneling):

First create your network list, these are the routes that will be exported to your vpn client
Configuration > Policy Management > Traffic Management > Network Lists
Give your network list a name and add the host in the area bellow, if you want a single host to be accessed you would use the host and a wildcard mask of 0.0.0.0, host would work if you only want to give access to 10.6.0.123

10.6.0.123/0.0.0.0

Save your network list file and go into the group configuration, click on your client config tab, at the bottom of the page you will have two fields:

Split Tunneling Policy and Split Tunneling Network List

Set your Split Tunneling Policy to:       Only tunnel networks in the list
and in your Split Tunneling Network List select the network list that you just created.
Save and test.

Remember that split tunneling is not a very secure mode of providing remote access as the vpn client is a node on your network, it can be used as a bridge from the internet into your network if the vpn client is not properly secured.



0
 
denver218Author Commented:
Thanks.  Now with split tunneling enabled, when remote users connect they will have access to the LOCAL internet connection right?  When I say local internet connection I mean the same internet connection that my Cisco Concentrator 3060 is on?  How could I configure the VPN group to allow split tunneling so I can accomplish my goal of only allowing users in this group have access to one server and make sure their not using the local internet connection to browse?  Thanks.
0
 
mikegattiCommented:
If your requirements are to have the user have access to a single server on your network and not allow split tunneling then the above is not a solution that will meet those requirements. The solution should rely on the use of filters to define with allow/deny what systems they can access and apply the filter to the group. First you need to create some rules,you must define one for each action, the bellow is an idea of what you might need to create:
allow 10.6.0.123 wild-mask 0.0.0.0
deny 10.0.0.0 wild-mask 0.255.255.255 (your internal networks)
deny 172.16.0.0 wild-mask 0.15.255.255 (your internal networks)
deny 192.168.0.0 wild-mask 0.0.255.255 (your internal networks)

The configuration is done in Configuration >Policy Management > Traffic Management > Rules
Once the rules are created you will need to group them in a filter with a default action of forward (for access to the internet, it's important to get your deny rules correct) :
Configuration > Policy Management > Traffic Management > Filters
Add your filters with the with the permit access to the server rule, then the deny/denies rule/s after that. Once your filter is created you can attach it to your VPN group at:
Configuration > User Management > Groups in the VPN groups General Tab.
You might require some tweaking of rules for this as DNS and such but I guess this give you an idea and starting point.
0
 
denver218Author Commented:
Thanks
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now