Solved

Cisco VPN Concentrator 3060, and user access after connected to VPN

Posted on 2011-02-18
4
339 Views
Last Modified: 2012-05-11
I have a cisco VPN concentrator 3060 that my users use for remote access.  When users connect through the cisco vpn client, they get an ip address in the 10.6.0.0/16 network.  This is a DHCP pool I have set up on the concentrator.  I have several groups configured on this concentrator.  Right now I am in some sort of a bind.  I created a new group, but I need them to only have access to one server which is 10.6.0.123/16 when they connect.   I don't want them to even be able to ping anything else in this network but 10.6.0.123, which is the server they need to access when connected to the VPN.    Is there a configuration setting n the group where I can specify this?  Any assistance would be greatly appreciated.  Thanks.
0
Comment
Question by:denver218
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:mikegatti
ID: 34930095
Your solution here is to use a network list (Split Tunneling):

First create your network list, these are the routes that will be exported to your vpn client
Configuration > Policy Management > Traffic Management > Network Lists
Give your network list a name and add the host in the area bellow, if you want a single host to be accessed you would use the host and a wildcard mask of 0.0.0.0, host would work if you only want to give access to 10.6.0.123

10.6.0.123/0.0.0.0

Save your network list file and go into the group configuration, click on your client config tab, at the bottom of the page you will have two fields:

Split Tunneling Policy and Split Tunneling Network List

Set your Split Tunneling Policy to:       Only tunnel networks in the list
and in your Split Tunneling Network List select the network list that you just created.
Save and test.

Remember that split tunneling is not a very secure mode of providing remote access as the vpn client is a node on your network, it can be used as a bridge from the internet into your network if the vpn client is not properly secured.



0
 
LVL 4

Author Comment

by:denver218
ID: 34942393
Thanks.  Now with split tunneling enabled, when remote users connect they will have access to the LOCAL internet connection right?  When I say local internet connection I mean the same internet connection that my Cisco Concentrator 3060 is on?  How could I configure the VPN group to allow split tunneling so I can accomplish my goal of only allowing users in this group have access to one server and make sure their not using the local internet connection to browse?  Thanks.
0
 
LVL 3

Accepted Solution

by:
mikegatti earned 500 total points
ID: 34943016
If your requirements are to have the user have access to a single server on your network and not allow split tunneling then the above is not a solution that will meet those requirements. The solution should rely on the use of filters to define with allow/deny what systems they can access and apply the filter to the group. First you need to create some rules,you must define one for each action, the bellow is an idea of what you might need to create:
allow 10.6.0.123 wild-mask 0.0.0.0
deny 10.0.0.0 wild-mask 0.255.255.255 (your internal networks)
deny 172.16.0.0 wild-mask 0.15.255.255 (your internal networks)
deny 192.168.0.0 wild-mask 0.0.255.255 (your internal networks)

The configuration is done in Configuration >Policy Management > Traffic Management > Rules
Once the rules are created you will need to group them in a filter with a default action of forward (for access to the internet, it's important to get your deny rules correct) :
Configuration > Policy Management > Traffic Management > Filters
Add your filters with the with the permit access to the server rule, then the deny/denies rule/s after that. Once your filter is created you can attach it to your VPN group at:
Configuration > User Management > Groups in the VPN groups General Tab.
You might require some tweaking of rules for this as DNS and such but I guess this give you an idea and starting point.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 35064360
Thanks
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now