Limit access to services across VPN

Unanswered Question
Mar 29th, 2007

Greetings,

I'm attempting to limit access to network resources across a VPN tunnel but can't seem to get it right. Here's the situation...

Network resources:

1 Terminal Server (OKATERM1)

2 DC's + DNS (OKAMAIN1 & OKASQL1)

I want to allow DNS requests to the 2 DC's and RDP access to the Terminal Server for remote VPN clients. Nothing else is needed. My config looks good (to me), but clearly something is wrong. When I setup the VPN tunnel for testing there is full access to all 3 servers.

Any suggestions or comments are appreciated.

Config info follows:

name 192.168.2.11 OKASQL1

name 192.168.2.10 OKAMAIN1

name 192.168.2.12 OKATERM1

access-list compiled

access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip host OKAMAIN1 192.168.3.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip host OKASQL1 192.168.3.0 255.255.255.0

access-list inside_outbound_nat0_acl permit ip host OKATERM1 192.168.3.0 255.255.255.0

access-list outside_cryptomap_dyn_40 remark VPN access to DNS

access-list outside_cryptomap_dyn_40 permit tcp host OKAMAIN1 eq domain 192.168.3.0 255.255.255.0 eq domain

access-list outside_cryptomap_dyn_40 remark VPN access to DNS

access-list outside_cryptomap_dyn_40 permit tcp host OKASQL1 eq domain 192.168.3.0 255.255.255.0 eq domain

access-list outside_cryptomap_dyn_40 remark VPN access to Terminal Server

access-list outside_cryptomap_dyn_40 permit tcp host OKATERM1 eq 3389 192.168.3.0 255.255.255.0 eq 3389

vpngroup VPN-Remote address-pool VPN-IP-POOL

vpngroup VPN-Remote dns-server xxx

vpngroup VPN-Remote default-domain ad.okabstract.com

vpngroup VPN-Remote idle-time 3600

vpngroup VPN-Remote password

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
a-vazquez Wed, 04/04/2007 - 06:26

If you are attempting to limit access to network resources across a VPN tunnel then in the access-list should be denying the traffic to the specified location.

jeremyarcher Wed, 04/04/2007 - 18:19

gddotts,

Right now you have two ACLs:

access-list inside_outbound_nat0_acl

&

access-list outside_cryptomap_dyn_40

The "inside_outbound_nat0_acl" ACL specifies NOT to translate the traffic to/from the VPN Clients and the LAN.

The "outside_cryptomap_dyn_40" ACL tells the device which traffic to encrypt and send through the tunnel.

Thus, there is nothing right now that tells the device what traffic to allow and deny.

You need to create another ACL and apply that filter to the VPN-Remote group.

Good luck

Actions

This Discussion