Solved

Resticting access over Site-to-Site VPN on Cisco 2801 Router

Posted on 2014-10-27
2
310 Views
Last Modified: 2014-11-05
I have a site to site VPN configured on my Cisco 2801 router between my organization and a vendor. I'm not sure what the vendor uses for a VPN device on their end. Below are the pertinent configs on the 2801:

crypto isakmp policy 3
encr aes 256
authentication pre-share
group 2


crypto isakmp key blah address x.x.x.10

crypto ipsec transform-set Printers esp-aes 256 esp-sha-hmac


crypto map SDM_CMAP_1 30 ipsec-isakmp
description TUNNEL
set peer x.x.x.10
set transform-set Printers
match address 111

access-list 111 permit ip 172.17.10.10 255.255.255.255 host 10.10.2.23


ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/3/0.1 overload

route-map SDM_RMAP_1 permit 1
match ip address 141

access-list 141 deny ip 172.17.10.10 255.255.255.255 host 10.10.2.23

Now the only IP this vendor has access to is 172.17.10.10. How do I configured a VPN filter so they can only access 172.17.10.10 via port 3389 (rdp). Also once they are RDP into 172.17.10.10 what stops them from being able to access other parts of the network because at this point they are already in?  So basically this vendor needs access to to 172.17.10.10 via RDP only, so I would like to know what that vpn filter would look like, and once they are in via RDP to 172.17.10.10, what stops them from trying to RDP to another device on the network?
0
Comment
Question by:denver218
2 Comments
 
LVL 11

Accepted Solution

by:
naderz earned 500 total points
Comment Utility
Try applying an extended ACL on the itnerface that uses crypto map SDM_CMAP_1 and limit to RDP.

As far as who can RDP to to your server(s) that needs to be controlled thru Windows ACLs: System Properties > Remote > Remote Desktop > Select Users.
0
 
LVL 4

Author Closing Comment

by:denver218
Comment Utility
Thanks.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now