Can you create a limited client VPN access?

donlin123 · ‎05-29-2008

My vendor wants to use client VPN to access my network but I want to limit them to access one IP 192.168.1.1 using port 443. What change do I need to made?

Here is the short version of config.

interface ethernet0

ip address 10.10.4.200 255.255.0.0

nameif outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash sha

isakmp policy 1 group 2

isakmp policy 1 lifetime 43200

isakmp enable outside

ip local pool testpool 192.168.0.10-192.168.0.15

username testuser password 12345678

crypto ipsec transform set FirstSet esp-3des esp-md5-hmac

tunnel-group testgroup type ipsec-ra

tunnel-group testgroup general-attributes

address-pool testpool

tunnel-group testgroup ipsec-attributes

pre-shared-key xxx

crypto dynamic-map dyn1 1 set transform-set FirstSet

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

arturo.guzman · ‎05-29-2008

You have to add in the nonat the segments that the your provider can access like this.

access-list nonat extended permit ip host 10.1.3.11 192.168.0.0 255.255.255.0

or if you use the split tunnel you can control it int his cacces list.

like this.

access-list VPN_PROVEEDOR1_SPLIT extended permit ip 10.1.3.11 255.255.255.255 192.168.0.0 255.255.255.0

split-tunnel-network-list value VPN_PROVEEDOR1_SPLIT

or may be you can use access-list in your router gateway.