Can you create a limited client VPN access?

Unanswered Question
May 29th, 2008

My vendor wants to use client VPN to access my network but I want to limit them to access one IP using port 443. What change do I need to made?

Here is the short version of config.

interface ethernet0

ip address

nameif outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 43200

isakmp enable outside

ip local pool testpool

username testuser password 12345678

crypto ipsec transform set FirstSet esp-3des esp-md5-hmac

tunnel-group testgroup type ipsec-ra

tunnel-group testgroup general-attributes

address-pool testpool

tunnel-group testgroup ipsec-attributes

pre-shared-key xxx

crypto dynamic-map dyn1 1 set transform-set FirstSet

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
arturo.guzman Thu, 05/29/2008 - 07:29

You have to add in the nonat the segments that the your provider can access like this.

access-list nonat extended permit ip host

or if you use the split tunnel you can control it int his cacces list.

like this.

access-list VPN_PROVEEDOR1_SPLIT extended permit ip

split-tunnel-network-list value VPN_PROVEEDOR1_SPLIT

or may be you can use access-list in your router gateway.


This Discussion