Solved

Cisco VPN Concentrator 3060, and user access after connected to VPN

Posted on 2011-02-18
4
342 Views
Last Modified: 2012-05-11
I have a cisco VPN concentrator 3060 that my users use for remote access.  When users connect through the cisco vpn client, they get an ip address in the 10.6.0.0/16 network.  This is a DHCP pool I have set up on the concentrator.  I have several groups configured on this concentrator.  Right now I am in some sort of a bind.  I created a new group, but I need them to only have access to one server which is 10.6.0.123/16 when they connect.   I don't want them to even be able to ping anything else in this network but 10.6.0.123, which is the server they need to access when connected to the VPN.    Is there a configuration setting n the group where I can specify this?  Any assistance would be greatly appreciated.  Thanks.
0
Comment
Question by:denver218
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:mikegatti
ID: 34930095
Your solution here is to use a network list (Split Tunneling):

First create your network list, these are the routes that will be exported to your vpn client
Configuration > Policy Management > Traffic Management > Network Lists
Give your network list a name and add the host in the area bellow, if you want a single host to be accessed you would use the host and a wildcard mask of 0.0.0.0, host would work if you only want to give access to 10.6.0.123

10.6.0.123/0.0.0.0

Save your network list file and go into the group configuration, click on your client config tab, at the bottom of the page you will have two fields:

Split Tunneling Policy and Split Tunneling Network List

Set your Split Tunneling Policy to:       Only tunnel networks in the list
and in your Split Tunneling Network List select the network list that you just created.
Save and test.

Remember that split tunneling is not a very secure mode of providing remote access as the vpn client is a node on your network, it can be used as a bridge from the internet into your network if the vpn client is not properly secured.



0
 
LVL 4

Author Comment

by:denver218
ID: 34942393
Thanks.  Now with split tunneling enabled, when remote users connect they will have access to the LOCAL internet connection right?  When I say local internet connection I mean the same internet connection that my Cisco Concentrator 3060 is on?  How could I configure the VPN group to allow split tunneling so I can accomplish my goal of only allowing users in this group have access to one server and make sure their not using the local internet connection to browse?  Thanks.
0
 
LVL 3

Accepted Solution

by:
mikegatti earned 500 total points
ID: 34943016
If your requirements are to have the user have access to a single server on your network and not allow split tunneling then the above is not a solution that will meet those requirements. The solution should rely on the use of filters to define with allow/deny what systems they can access and apply the filter to the group. First you need to create some rules,you must define one for each action, the bellow is an idea of what you might need to create:
allow 10.6.0.123 wild-mask 0.0.0.0
deny 10.0.0.0 wild-mask 0.255.255.255 (your internal networks)
deny 172.16.0.0 wild-mask 0.15.255.255 (your internal networks)
deny 192.168.0.0 wild-mask 0.0.255.255 (your internal networks)

The configuration is done in Configuration >Policy Management > Traffic Management > Rules
Once the rules are created you will need to group them in a filter with a default action of forward (for access to the internet, it's important to get your deny rules correct) :
Configuration > Policy Management > Traffic Management > Filters
Add your filters with the with the permit access to the server rule, then the deny/denies rule/s after that. Once your filter is created you can attach it to your VPN group at:
Configuration > User Management > Groups in the VPN groups General Tab.
You might require some tweaking of rules for this as DNS and such but I guess this give you an idea and starting point.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 35064360
Thanks
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Monitor Internet Edge Router behind Firewall 2 28
Cannot connect to wireless using RADIUS 16 64
CISCO ASA 5505 double Wan 8 36
ACL not working 11 49
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question