Solved

Resticting access over Site-to-Site VPN on Cisco 2801 Router

Posted on 2014-10-27
2
319 Views
Last Modified: 2014-11-05
I have a site to site VPN configured on my Cisco 2801 router between my organization and a vendor. I'm not sure what the vendor uses for a VPN device on their end. Below are the pertinent configs on the 2801:

crypto isakmp policy 3
encr aes 256
authentication pre-share
group 2


crypto isakmp key blah address x.x.x.10

crypto ipsec transform-set Printers esp-aes 256 esp-sha-hmac


crypto map SDM_CMAP_1 30 ipsec-isakmp
description TUNNEL
set peer x.x.x.10
set transform-set Printers
match address 111

access-list 111 permit ip 172.17.10.10 255.255.255.255 host 10.10.2.23


ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/3/0.1 overload

route-map SDM_RMAP_1 permit 1
match ip address 141

access-list 141 deny ip 172.17.10.10 255.255.255.255 host 10.10.2.23

Now the only IP this vendor has access to is 172.17.10.10. How do I configured a VPN filter so they can only access 172.17.10.10 via port 3389 (rdp). Also once they are RDP into 172.17.10.10 what stops them from being able to access other parts of the network because at this point they are already in?  So basically this vendor needs access to to 172.17.10.10 via RDP only, so I would like to know what that vpn filter would look like, and once they are in via RDP to 172.17.10.10, what stops them from trying to RDP to another device on the network?
0
Comment
Question by:denver218
2 Comments
 
LVL 11

Accepted Solution

by:
naderz earned 500 total points
ID: 40407280
Try applying an extended ACL on the itnerface that uses crypto map SDM_CMAP_1 and limit to RDP.

As far as who can RDP to to your server(s) that needs to be controlled thru Windows ACLs: System Properties > Remote > Remote Desktop > Select Users.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 40423898
Thanks.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question