Solved

Resticting access over Site-to-Site VPN on Cisco 2801 Router

Posted on 2014-10-27
2
327 Views
Last Modified: 2014-11-05
I have a site to site VPN configured on my Cisco 2801 router between my organization and a vendor. I'm not sure what the vendor uses for a VPN device on their end. Below are the pertinent configs on the 2801:

crypto isakmp policy 3
encr aes 256
authentication pre-share
group 2


crypto isakmp key blah address x.x.x.10

crypto ipsec transform-set Printers esp-aes 256 esp-sha-hmac


crypto map SDM_CMAP_1 30 ipsec-isakmp
description TUNNEL
set peer x.x.x.10
set transform-set Printers
match address 111

access-list 111 permit ip 172.17.10.10 255.255.255.255 host 10.10.2.23


ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/3/0.1 overload

route-map SDM_RMAP_1 permit 1
match ip address 141

access-list 141 deny ip 172.17.10.10 255.255.255.255 host 10.10.2.23

Now the only IP this vendor has access to is 172.17.10.10. How do I configured a VPN filter so they can only access 172.17.10.10 via port 3389 (rdp). Also once they are RDP into 172.17.10.10 what stops them from being able to access other parts of the network because at this point they are already in?  So basically this vendor needs access to to 172.17.10.10 via RDP only, so I would like to know what that vpn filter would look like, and once they are in via RDP to 172.17.10.10, what stops them from trying to RDP to another device on the network?
0
Comment
Question by:denver218
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 11

Accepted Solution

by:
naderz earned 500 total points
ID: 40407280
Try applying an extended ACL on the itnerface that uses crypto map SDM_CMAP_1 and limit to RDP.

As far as who can RDP to to your server(s) that needs to be controlled thru Windows ACLs: System Properties > Remote > Remote Desktop > Select Users.
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 40423898
Thanks.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question