TechGuy_007
asked on
Add a vpn subnet
We have people using vpn to log into our network. We however have two different subnets. I was wondering if there is a way to dictate which internal subnet users get based on their user name or some other variable. We are using 2003 server, and Routing and remote access to do VPN
by username?? Maybe. Can the subnets communicate with each other? Can the firewall see both subnets?
what is doing the authentication (i.e. radius, cisco)?
ASKER
The subnets cant communicate. I had to add a second IP to the server that we want our vendor to access but we dont went them to have access to the entire network. So we want there VPN access to only allow access to the second subnet.
statically assign an ip address to his username after he authenticates. make sure the firewall can communicate to the other subnet. when that user logs in they will automatically be thrown into the other subnet.
if you are using cisco PIX or ASA try this:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806ab788.shtml
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806ab788.shtml
and if you added a second ip address to a server that the vendor has access to, wont he have access to the entire network once he logs in to that particular server?
ASKER
That is what we want to avoid. We want his VPN access limited to his server only.
ASKER
We dont have a pix or ASA.
what firewall are you using? where are you handling the DHCP for VPN connections? what are you using for authentication for users as they come into the network?
ASKER
we have a watch gaurd
And is that handling vpn dhcp and authentication?
You can have multiple policies on your watchguard. you can give the user a different vpn ipsec configuration, and setup a different DHCP scope inside the firewall for whatever subnet you are wanting and assign it to the profile.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.