Solved

Configuring a Remote Access VPN on a Cisco VPN Concentrator 3060 and limiting what users can access

Posted on 2011-03-14
10
511 Views
Last Modified: 2012-05-11
I just inherited a new network which I'm in the middle of trying to lock down remote users for security reasons.  Right now users that work from home remote in using the Cisco VPN Client.  The remote access vpn is configured on a cisco vpn concentrator 3060.  The LAN that users remote into is 10.10.0.0/16, which is a hugh subnet I know, but its already setup and working when I took this over.  If I login to the cisco VPN Concentrator, the ip pool for the remote users is 10.10.248.1 - 10.10.255.254 255.255.0.0.  Users that log into to the remote access vpn only need access to to 6 servers, not the entire 10.10.0.0/16 network.  Is there a place on the concentrator where I can limit what internal IPs these remote users are allowed to access?   My LAN switches consist of cisco 3550s, and I use a cisco ASA5520 as my firewall.  The DHCP pool is in the same network as the LAN, so I'm not sure how to limit remote users to what they can access.  Any assistance would be greatly appreciated.  Thanks.
0
Comment
Question by:denver218
  • 5
  • 3
  • 2
10 Comments
 
LVL 2

Expert Comment

by:mwblsz
ID: 35130109
yes, you can add vpn filter per user bases, here is the link from cisco
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

here is a simple example, it only allow vpn user "testuser" to access server "10.0.0.20"

access-list VPN-limit extended permit any host 10.0.0.20

username testuser attributes
 vpn-filter value VPN-limit

sincerely

0
 
LVL 4

Author Comment

by:denver218
ID: 35130566
Thanks, but my remote access VPN is configured on the Cisco VPN Concentrator 3060, not the ASA.  I use Radius Authentication, with over 1000 users.
0
 
LVL 2

Expert Comment

by:mwblsz
ID: 35132848
in that case, you can add a ACL to the firewall inside interface

access-list VPN-limit extended permit any host 10.0.0.20
access-group VPN-limit out interface inside

this will only allow traffic to 10.0.0.20 going out of your "inside"  interface.
however, if you have other customers other than vpn customers going out of that interface, it will block them too.

so in that case, try this
access-list VPN-limit extended permit any host 10.0.0.20
access-group VPN-limit in interface internet

I think you get the idea here.

sincerely
0
 
LVL 4

Author Comment

by:denver218
ID: 35138169
Is it possible to limit VPN users access by putting the access list on my Cisco 3550-48 switch?  See the below Diagram of my Network.  The network that VPN users have access to is the 10.4.0.0/16 network?  Could I just limit access there via an ACL?

 Network Diagram
0
 
LVL 18

Expert Comment

by:decoleur
ID: 35138673
you can limit the access where ever you want, but think about what the costs are for the choices you make. if you set up an ACL on the VPN concentrator then the users will only direct traffic over the tunnel that is destined for approved hosts and your tunnel interface doesn't have to pass traffic that will later be dropped. if you put the ACL on the 3560 that is inside the VPN concentrators you will be dropping traffic that has already used up space on your encrypted tunnel.

I would pose that the most efficient use would be to push the restriction criteria from the concentrator to the client. also that puts all management for the VPN users onto a single platform.

let me know if you need help in setting that up.

-t
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Author Comment

by:denver218
ID: 35139147
Yes, could you give me an example on setting that up on the VPN Concentrator?  Right now I have about 21 VPN groups configured in the VPN Concentrators.  Currently, all of them use the Same DHCP Pool, but this is going to change for a new group that I just added.  This group has its own DHCP Pool which is 192.168.87.1 - 192.168.87.254/24.  I have all the routing in place already so when this group connects to the concentrator they can access the 10.4.0.0/16 network.  I want to limit the 192.168.87.0/24 IP Pool to only have access to a few servers on the LAN, not the entire 10.4.0.0/16 network.  Any assistance would be greatly appreciated.  Thanks.
0
 
LVL 18

Accepted Solution

by:
decoleur earned 500 total points
ID: 35139295
you have to use the gui what you want to do is set up a split tunnel that "only tunnels networks in list" and list the desired targets in the network list.

to create a network list see:

http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/polmgt.html#wpmkr1621285

for split tunnel see:

http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/Usermgt.html#wp2252451

hope this helps,

-t
0
 
LVL 4

Author Comment

by:denver218
ID: 35155608
decoleur, I used the above links and think I have everything working correctly.  I wanted this VPN group to ony have access to one server, so I created a network list with just that servers IP:
Network List - 10.10.0.112/0.0.0.0

Then on the group, I went to the client config tab, and chose "Only tunnel networks in the list" and picked my Network list I just created.
I logged into the VPN, and the only server I could access was 10.10.0.112.  So it looks like it worked.  Does this seem correct to you?  I just want to be sure this is the proper way before I do this to all my groups.  Thanks.
0
 
LVL 18

Expert Comment

by:decoleur
ID: 35156242
yes that is what you want to do. this way you manage access on the configuration profile being passed to the remote endpoints and keep their traffic from getting onto your network unnecessarily.

-t
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 35157793
That worked.  Thanks for your help
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now