Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
636
Views
0
Helpful
4
Replies

Restrict vpn remote access

piaszczynski
Level 1
Level 1

‎01-15-2008 07:38 AM - edited ‎02-21-2020 03:29 PM

Hi,

I try to restrict access to the remote site from a vpn user using a vpn client software.

- concentrator vpn 3015 release 4.7.2.N-K9

- vpn client release 5.0.01.0600

the vpn connection is OK

I would like for example, to block http traffic on the remote site for a group (to block intranet access for example). One of my collegues told me that I have to use firewall filter and rules but i havn't succed yet.

My user "bundy" in the group "groutcho"

I've created a filter (in traffic management) which contains two rules (drop http inbound for all adresses, and drop http outbound for all adresses) one rules should be necessary but i put two to be sure !

I've configured the groutcho group in the "client firewall" tab to require cisco integrated firewall and to push my policy (the filter with the two drop rules)

Howether, the user can steal access a web server on the remote site.

I've tried to restrict all accesses (with two drop-all rules) but it also doesn't work, the user has full access to the remote site.

The only thing i manage to controll is to deny vpn-connection when the user doesn't have the good firewall on his computer.

Could you help me configuring correctly the concentrator in order to restrict access to the remote site ?

Thank you,

regards

Labels:
0 Helpful
4 Replies 4

ivillegas
Level 6
Level 6

‎01-22-2008 09:01 AM

You have the option of creating VPN -filters for this purpose. Refer following URL for creating filters on PIX/ASA.

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

0 Helpful

piaszczynski
Level 1
Level 1
In response to ivillegas

‎01-29-2008 06:23 AM

Thanks but in fact i would like the same type of document but for VPN concentrator 3000 series which is very different from pix....

bye

0 Helpful

piaszczynski
Level 1
Level 1
In response to piaszczynski

‎01-29-2008 08:47 AM

I've found the solution at http://cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080094eac.shtml

The only thing I added is a rule for outgoing in the filter.

thanks a lot.

0 Helpful

johansen
Level 1
Level 1
In response to piaszczynski

‎01-29-2008 10:36 AM

Do you have a Cisco ACS server in this configuration?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents