icepick94
asked on
EZVPN block access to a certain group
I have all of my VPN tunneling up and running correctly. I have created 2 groups.
I want the second group to only have access to 5 servers. Thats it. I do not want anyone in the second group to be able to ping any other IP's except the ones I specify. I have tried configuring a ACL on the interface, but I am missing something. When I log in with this group information, I can still ping everything and access everything on my LAN.
So I guess my question is where do I put the ACLL? Do I attach it to the virutal interface?
Here is a code snippet from my router:
crypto isakmp key Cisco address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local EZVPN_POOL
crypto isakmp client configuration group EZVPN
key DOYouREallyThinkIWould LeaveThisHere?
dns 208.67.222.222
pool EZVPN_POOL
acl 101
netmask 255.255.255.0
crypto isakmp profile EZVPN_PROFILE
match identity group EZVPN
client authentication list USER
isakmp authorization list GROUP
client configuration address respond
virtual-template 1
crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac
crypto ipsec profile EZVPN_PROFILE
set transform-set EZVPN_SET
set isakmp-profile EZVPN_PROFILE
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
ip nat inside
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile EZVPN_PROFILE
To give an example: I want bob who logs in using the group EZVPN with his username to only access the servers at 10.100.100.20,21,22,23,24, 25. These servers sit on a /26 subnet.
I tried as a test:
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.20 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.21 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.22 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.23 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.24 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.25 0.0.0.0
access-list 102 deny any any
I attached this ACL to the crypto isakmp client configuration group EZVPN area and it did not work.
Any ideas?
I want the second group to only have access to 5 servers. Thats it. I do not want anyone in the second group to be able to ping any other IP's except the ones I specify. I have tried configuring a ACL on the interface, but I am missing something. When I log in with this group information, I can still ping everything and access everything on my LAN.
So I guess my question is where do I put the ACLL? Do I attach it to the virutal interface?
Here is a code snippet from my router:
crypto isakmp key Cisco address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local EZVPN_POOL
crypto isakmp client configuration group EZVPN
key DOYouREallyThinkIWould LeaveThisHere?
dns 208.67.222.222
pool EZVPN_POOL
acl 101
netmask 255.255.255.0
crypto isakmp profile EZVPN_PROFILE
match identity group EZVPN
client authentication list USER
isakmp authorization list GROUP
client configuration address respond
virtual-template 1
crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac
crypto ipsec profile EZVPN_PROFILE
set transform-set EZVPN_SET
set isakmp-profile EZVPN_PROFILE
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
ip nat inside
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile EZVPN_PROFILE
To give an example: I want bob who logs in using the group EZVPN with his username to only access the servers at 10.100.100.20,21,22,23,24,
I tried as a test:
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.20 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.21 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.22 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.23 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.24 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.25 0.0.0.0
access-list 102 deny any any
I attached this ACL to the crypto isakmp client configuration group EZVPN area and it did not work.
Any ideas?
Based on your access list you are permitting a network to a host that reside on the same network. 10.100.100.x resides on 10.0.0.0/8. What pool of addresses are you assigning group 2?
Any update author? Did you reconfigure your ACL's.?
ASKER
The networks are subnetted /26. I guess my example was a bit lacking.
So, I want to make sure that any user that comes in on the second group, which has tunnel addresses from 10.0.0.30 - 40, can only see, ping or access the servers at 10.100.9.20-27.
I want to add an ACL to the second group that only allows access to the servers at 10.100.9.20 -27
The network has been subnetted to the following netowrks:
10.100.9.0 /26
10.100.9.64 /26
10.100.9.128 /26
10.100.9.192 /26
the source addresses are from my tunnel at 10.0.0.30 - 40 /24
That is why I setup the ACL as follows:
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.20 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.21 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.22 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.23 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.24 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.25 0.0.0.0
access-list 102 deny any any
This did not work.
Any ideas?
Thanks for the response.
So, I want to make sure that any user that comes in on the second group, which has tunnel addresses from 10.0.0.30 - 40, can only see, ping or access the servers at 10.100.9.20-27.
I want to add an ACL to the second group that only allows access to the servers at 10.100.9.20 -27
The network has been subnetted to the following netowrks:
10.100.9.0 /26
10.100.9.64 /26
10.100.9.128 /26
10.100.9.192 /26
the source addresses are from my tunnel at 10.0.0.30 - 40 /24
That is why I setup the ACL as follows:
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.20 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.21 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.22 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.23 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.24 0.0.0.0
access-list 102 permit tcp 10.0.0.0 0.255.255.255 10.100.100.25 0.0.0.0
access-list 102 deny any any
This did not work.
Any ideas?
Thanks for the response.
ASKER
Not one person knows how to do this?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
I'm a fraking idiot! Thanks for pointing that out!
Points gladly awarded!
Points gladly awarded!
Nah, it always easy to overlook something obvious, but that why a second pair of eye on your config is always a good thing.