restrict VPN access

Unanswered Question
Jul 29th, 2008
User Badges:
  • Silver, 250 points or more

Hi,


Hope you can help. I need to allow a user access to one host on my LAN and only RDP access. I have a Cisco 2801 with IOS 12.4. VPN is working great for other users.

Is there a command that i can apply to a crytpo map or the likes to restrict certain traffic from indivduals.


Many Thanks


Stephen

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
michael.leblanc Tue, 07/29/2008 - 10:29
User Badges:
  • Silver, 250 points or more

You've not indicated whether you are referring to a site-to-site VPN, or RAVPN.


In either case, the inbound interface ACL applied to your router's external interface would be configured with an ACE(s) specifying the encapsulated IP addresses (source and destination) to be permitted. You could specify your higher layer criteria (RDP) here.



Site-to-Site:


Hopefully, the specific user/host has a persistent fixed IP. If there were ACEs specifying other far-side source addresses with access to other local resources, you wouldn't want that user/host matching those ACEs.



RAVPN:


You could specify a unique "isakmp client configuration group" for the user, with a unique IP pool of one address. This would ensure that the interface ACL (configured for the same address) enforced policy as intended.


Generally, its a bad idea to specify upper-layer criteria (e.g.: RDP) in crypto ACLs, or split-tunneling ACLs.


stephen.stack Wed, 07/30/2008 - 00:15
User Badges:
  • Silver, 250 points or more

Hi Michael,


Thanks for getting back. Sorry, it is a RAVPN. and i think i've created a good config for this.


!

!

crypto isakmp client configuration group GROUP

key PASS

dns 192.168.15.10

wins 192.168.15.10

domain domain.local

pool POOL

!

ip local pool POOL 192.168.51.1 192.168.51.6

!

!

access-list 103 permit tcp 192.168.51.0 0.0.0.7 eq 3389 192.168.15.12 0.0.0.0 eq 3389 log

access-list 103 deny ip 192.168.51.0 0.0.0.7 192.168.15.0 0.0.0.255 log

access-list 103 permit ip any any

!

int fa0/0

ip access-group 103 out

!


What do you think?


Stephen

Marwan ALshawi Wed, 07/30/2008 - 07:36
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

apply it in inbound direction on the outside interface better and less CPU intensive


stephen.stack Wed, 07/30/2008 - 07:41
User Badges:
  • Silver, 250 points or more

will the outside interface still see the traffic coming from the tunnel??

Marwan ALshawi Wed, 07/30/2008 - 07:44
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

it will terminate on that interface

sure will see it

and as the person above mentioned u can make another pool with another group name and make more restrection on that group


if u need more help let me know

try the ACL too,


good luck

michael.leblanc Wed, 07/30/2008 - 08:47
User Badges:
  • Silver, 250 points or more

You've not indicated whether int fa0/0 is an internal or external interface.


I'll asume that it is an "internal" interface given that you have defined the RAVPN Client addresses as the source, and the ACL has been applied "outbound".


If fa0/0 is not the internal interface, then you have applied it incorrectly.


I prefer to permit or deny connection initiation on the ingress interface. In this case that would mean applying the ACL inbound on the external interface.


From a security standpoint, it is preferable to not use "permit ip any any" at the end of your interface ACLs. It is preferable to construct your interface ACLs to only allow traffic permitted by your security policy. Anything not permitted by your security policy should be denied with "deny ip any any log" at the end of your interface ACLs. You might want to transition to this methodology in future implementations.


Are you sure you want to log every RDP packet?


Your initial post indicated that you needed to allow "a user" restricted access, so I'm not sure why you are defining a pool of multiple addresses for this "isakmp client configuration group". Are you applying the RDP restriction to one user, many, or all?


It is not clear to me whether this is to be a supplemental configuration group with restricted access, or whether this is to be the one and only configuration group.



Although I have not explored this method, I believe the access restriction could be implemented with an ACL applied to the dynamic crypto map rather than with ACEs within the interface ACL applied to the external interface. I'm not trying to get you to change your existing approach, just making light of an alternative for future reference.


e.g.:


crypto dynamic-map ravpn-map 10

set ip access-group 120 in

set transform-set xfm-3des

set isakmp-profile psk-prof-1

reverse-route



Marwan ALshawi Wed, 07/30/2008 - 18:49
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

but with ACL(ACEs) and aaplied to the right interface with right direction will work too!!


so for the requred restrection better for to make a separate group with separate pool and make more restrection on the new pool regardless this pool will conatin one address or more it will be considered the restricted pool


with ASA we could achive the restrction on the user level himself which is easier and better


if helpful rate


michael.leblanc Thu, 07/31/2008 - 06:41
User Badges:
  • Silver, 250 points or more

My recommendation was (and remains) to use multiple groups, each with its own pool, and restrictions via the interface ACL.


If (in the future) he was to explore the application of ACLs in the dynamic crypto map, there would be multiple sections in the crypto map, each pointing to different profiles, which in turn point to different groups.


stephen.stack Thu, 07/31/2008 - 07:23
User Badges:
  • Silver, 250 points or more

Ok Guys.


Thanks very much for all your advice. I will look into some of your suggestions at a later stage. Paticularly about applying the ACL to the Dynamic Crypto map.


For now i have carried out the exact config as above. The Fa0/0 is the inside interface. The pool is a separate pool. The crypto map is it's own separate crypto map. ALso, i have given a few IPs in the pool, beacuse i remeber reading somewhere on this forum, that if only one IP is applied, then if the user disconnects and reconnects the IP may not free from the pool quick enough. Leaving the users waiting to get back in.



Thanks for all help on this one.


Stephen

Marwan ALshawi Thu, 07/31/2008 - 07:56
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, December 2015

all good

only the crypto map

u should have only one map for all ur groups

good luck

stephen.stack Thu, 07/31/2008 - 08:03
User Badges:
  • Silver, 250 points or more

Sorry man, I have only one crypto. Many groups. One group for regular users, one for the restricted user and one for site-to-site.


Cheers


Stephen

Actions

This Discussion