Port filtering on vpn 3000 concentrator

jdw28 · ‎10-29-2007

Hi,

Is there a way to limit vpn client sessions based on the application ports? For example, I would like to give access to a vendor to a specific internal server but his access needs to be limited to FTP only. I can define the server access using a VPN network list but I'm not sure how to restrict further by using the port numbers.

I'm ruling out the VPN Filters since they need to be applied physically to an interface, affecting other users whose access are based on IP addresses.

Thanks.

-Jim

irisrios · ‎11-02-2007

You can configure an extended access list and specify the port range for each ip address. The following URL might help.

http://cisco.com/en/US/products/ps6120/products_configuration_example09186a008080dfa7.shtml#tab4

dagbebi · ‎11-07-2007

I curious to know how you limited the vendor to a specific internal server. I need to do the same.

jdw28 · ‎11-07-2007

I was wrong about using the filters. Filters can be applied to VPN groups to limit access down to the port level. The filters become complex when restrictions are numerous and the number of servers involved is large. Filters can not be applied to VPN users.

To answer your question of just limiting the access to a specific server, use split tunneling in conjunction with a network list. You include the internal server IP address in the network list.

-Jim