Allow VPN user access to only 1 server? Is this possible?

meshoxford
meshoxford used Ask the Experts™
on
Hi Experts,

Is it possible to create a VPN user that is restricted to only one of our servers? For example if a user logs in to our VPN, can we restrict him to only access 192.168.0.19 but not allow him to access any other addresses/servers?  

I realize I could just give the user credentials to one server and not create a user name for the other servers.I ask this because this would just be a security measure in case a hacker would obtain the user name and password and try to brute force their way in to a server.

Our current router is a Zyxel Zywal USG 100 .

Thanks in advance

Matt
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You can always restrict access to the ports that your firewall is using to one ip address and then only that machine would be able to vpn to your server ;)
Sorry I did not see the whole question for some reason.  One way to do this is to for example if your vpn assigns IP addresses via dhcp you can reserve a particular IP using the MAC address of the users machine and then restrict access on your private network for that IP to only the one server you wouldlike them to have access too.  This obviously only works if the user only connects from one machine.  Another solution is to apply this method to the entire range of IPs that are given out by the VPN, however you now restrict everyones VPN access to this one server.  This may work best and then you can give yourself the reserved ip and then you have one box that can access all servers and other vpn clients only access the one server.  Hope any of that helps.

Author

Commented:
Thanks Ryan ,

This seems to be as complicated as I first thought it might be.... I dont want to restrict everyones VPN , and I dont fully understand how I could enter a MAC address in the router and block access to other servers... Are you saying enter the mac address of the machine and black list it on each server? That would be helpful to know but would not help me in this case because I wouldnt know the intruders MAC address in advance.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Simplest way is to find out if usg 100 vpn supports reserving an IP address for a vpn user.  I know solutions like open-vpn support this.  That way anytime a vpn connection is made by that user they are given the same IP address.  Then you can simply restrict what access that IP address has to your network using simple firewall rules.  Example if you are using 172.35.0.0/24 and your vpn gives range 172.35.0.50-100 and you reserve 172.35.0.51 for user x you can create firewall rules that restrict communication from IP 172.35.0.51 on servers that you do not want them to access.  Due to lack of experience with Zyxel gateway I cannot comment on how you would accomplish this with that particualar vpn.
In addition if you have say a lot of people using this that you want to restrict and say a few admins.  You can reserve IPs for the admins and give their IPs full access and then restrict the rest of the range that the vpn gives out so all other users are restricted ; )

Commented:
Hi,

Are you able to configure multiple LT2P/IPSEC policies - you could have a new one for the 1 user that they have to use to connect to the device whilst everyone else uses your main policy?

Assuming you can allocate a different address pools to that policy, once connected, you can then restrict what that IP range can connect to and restrict it to the server?

Regards,


RobMobility.

Regards,


RobMobility.

Author

Commented:
I believe I can create a second policy, but im still not sure how I can restrict it

Author

Commented:
This seems to be the solution, im still trying to figure out the firewall

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial