Link to home
Create AccountLog in
Avatar of icepick94
icepick94

asked on

EZVPN block access to a certain group

I have all of my VPN tunneling up and running correctly. I have created 2 groups.

I want the second group to only have access to 5 servers. Thats it. I do not want anyone in the second group to be able to ping any other IP's except the ones I specify. I have tried configuring a ACL on the interface, but I am missing something. When I log in with this group information, I can still ping everything and access everything on my LAN.

So I guess my question is where do I put the ACLL? Do I attach it to the virutal interface?
Here is a code snippet from my router:

crypto isakmp key Cisco address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local EZVPN_POOL

crypto isakmp client configuration group EZVPN
 key DOYouREallyThinkIWould LeaveThisHere?
 dns 208.67.222.222
 pool EZVPN_POOL
 acl 101
 netmask 255.255.255.0

crypto isakmp profile EZVPN_PROFILE
   match identity group EZVPN
   client authentication list USER
   isakmp authorization list GROUP
   client configuration address respond
   virtual-template 1

crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac

crypto ipsec profile EZVPN_PROFILE
 set transform-set EZVPN_SET
 set isakmp-profile EZVPN_PROFILE

interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet0/0
 ip nat inside
 ip virtual-reassembly
 tunnel mode ipsec ipv4
 tunnel path-mtu-discovery
 tunnel protection ipsec profile EZVPN_PROFILE


To give an example: I want bob who logs in using the group EZVPN with his username to only access the servers at 10.100.100.20,21,22,23,24,25. These servers sit on a /26 subnet.

I tried as a test:
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.20 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.21 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.22 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.23 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.24 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.25 0.0.0.0
access-list 102 deny any any

I attached this ACL to the crypto isakmp client configuration group EZVPN area and it did not work.

Any ideas?
Avatar of Soulja
Soulja
Flag of United States of America image

Based on your access list you are permitting a network to a host that reside on the same network. 10.100.100.x resides on 10.0.0.0/8. What pool of addresses are you assigning group 2?
Any update author? Did you reconfigure your ACL's.?
Avatar of icepick94
icepick94

ASKER

The networks are subnetted /26. I guess my example was a bit lacking.

So, I want to make sure that any user that comes in on the second group, which has tunnel addresses from 10.0.0.30 - 40, can only see, ping or access the servers at 10.100.9.20-27.

I want to add an ACL to the second group that only allows access to the servers at 10.100.9.20 -27

The network has been subnetted to the following netowrks:
10.100.9.0 /26
10.100.9.64 /26
10.100.9.128 /26
10.100.9.192 /26

the source addresses are from my tunnel at 10.0.0.30 - 40 /24

That is why I setup the ACL as follows:
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.20 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.21 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.22 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.23 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.24 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.25 0.0.0.0
access-list 102 deny any any

This did not work.

Any ideas?

Thanks for the response.



Not one person knows how to do this?
ASKER CERTIFIED SOLUTION
Avatar of Soulja
Soulja
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
I'm a fraking idiot! Thanks for pointing that out!

Points gladly awarded!
Nah, it always easy to overlook something obvious, but that why a second pair of eye on your config is always a good thing.