Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco VPN Concentrator 3060, and user access after connected to VPN

Posted on 2011-02-18
4
Medium Priority
?
346 Views
Last Modified: 2012-05-11
I have a cisco VPN concentrator 3060 that my users use for remote access.  When users connect through the cisco vpn client, they get an ip address in the 10.6.0.0/16 network.  This is a DHCP pool I have set up on the concentrator.  I have several groups configured on this concentrator.  Right now I am in some sort of a bind.  I created a new group, but I need them to only have access to one server which is 10.6.0.123/16 when they connect.   I don't want them to even be able to ping anything else in this network but 10.6.0.123, which is the server they need to access when connected to the VPN.    Is there a configuration setting n the group where I can specify this?  Any assistance would be greatly appreciated.  Thanks.
0
Comment
Question by:denver218
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:mikegatti
ID: 34930095
Your solution here is to use a network list (Split Tunneling):

First create your network list, these are the routes that will be exported to your vpn client
Configuration > Policy Management > Traffic Management > Network Lists
Give your network list a name and add the host in the area bellow, if you want a single host to be accessed you would use the host and a wildcard mask of 0.0.0.0, host would work if you only want to give access to 10.6.0.123

10.6.0.123/0.0.0.0

Save your network list file and go into the group configuration, click on your client config tab, at the bottom of the page you will have two fields:

Split Tunneling Policy and Split Tunneling Network List

Set your Split Tunneling Policy to:       Only tunnel networks in the list
and in your Split Tunneling Network List select the network list that you just created.
Save and test.

Remember that split tunneling is not a very secure mode of providing remote access as the vpn client is a node on your network, it can be used as a bridge from the internet into your network if the vpn client is not properly secured.



0
 
LVL 4

Author Comment

by:denver218
ID: 34942393
Thanks.  Now with split tunneling enabled, when remote users connect they will have access to the LOCAL internet connection right?  When I say local internet connection I mean the same internet connection that my Cisco Concentrator 3060 is on?  How could I configure the VPN group to allow split tunneling so I can accomplish my goal of only allowing users in this group have access to one server and make sure their not using the local internet connection to browse?  Thanks.
0
 
LVL 3

Accepted Solution

by:
mikegatti earned 2000 total points
ID: 34943016
If your requirements are to have the user have access to a single server on your network and not allow split tunneling then the above is not a solution that will meet those requirements. The solution should rely on the use of filters to define with allow/deny what systems they can access and apply the filter to the group. First you need to create some rules,you must define one for each action, the bellow is an idea of what you might need to create:
allow 10.6.0.123 wild-mask 0.0.0.0
deny 10.0.0.0 wild-mask 0.255.255.255 (your internal networks)
deny 172.16.0.0 wild-mask 0.15.255.255 (your internal networks)
deny 192.168.0.0 wild-mask 0.0.255.255 (your internal networks)

The configuration is done in Configuration >Policy Management > Traffic Management > Rules
Once the rules are created you will need to group them in a filter with a default action of forward (for access to the internet, it's important to get your deny rules correct) :
Configuration > Policy Management > Traffic Management > Filters
Add your filters with the with the permit access to the server rule, then the deny/denies rule/s after that. Once your filter is created you can attach it to your VPN group at:
Configuration > User Management > Groups in the VPN groups General Tab.
You might require some tweaking of rules for this as DNS and such but I guess this give you an idea and starting point.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 35064360
Thanks
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question