?
Solved

Resticting access over Site-to-Site VPN on Cisco 2801 Router

Posted on 2014-10-27
2
Medium Priority
?
335 Views
Last Modified: 2014-11-05
I have a site to site VPN configured on my Cisco 2801 router between my organization and a vendor. I'm not sure what the vendor uses for a VPN device on their end. Below are the pertinent configs on the 2801:

crypto isakmp policy 3
encr aes 256
authentication pre-share
group 2


crypto isakmp key blah address x.x.x.10

crypto ipsec transform-set Printers esp-aes 256 esp-sha-hmac


crypto map SDM_CMAP_1 30 ipsec-isakmp
description TUNNEL
set peer x.x.x.10
set transform-set Printers
match address 111

access-list 111 permit ip 172.17.10.10 255.255.255.255 host 10.10.2.23


ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/3/0.1 overload

route-map SDM_RMAP_1 permit 1
match ip address 141

access-list 141 deny ip 172.17.10.10 255.255.255.255 host 10.10.2.23

Now the only IP this vendor has access to is 172.17.10.10. How do I configured a VPN filter so they can only access 172.17.10.10 via port 3389 (rdp). Also once they are RDP into 172.17.10.10 what stops them from being able to access other parts of the network because at this point they are already in?  So basically this vendor needs access to to 172.17.10.10 via RDP only, so I would like to know what that vpn filter would look like, and once they are in via RDP to 172.17.10.10, what stops them from trying to RDP to another device on the network?
0
Comment
Question by:denver218
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 11

Accepted Solution

by:
naderz earned 2000 total points
ID: 40407280
Try applying an extended ACL on the itnerface that uses crypto map SDM_CMAP_1 and limit to RDP.

As far as who can RDP to to your server(s) that needs to be controlled thru Windows ACLs: System Properties > Remote > Remote Desktop > Select Users.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 40423898
Thanks.
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Let’s face it: one of the reasons your organization chose a SaaS solution (whether Microsoft Dynamics 365, Netsuite or SAP) is that it is subscription-based. The upkeep is done. Or so you think.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question