07-29-2008 12:42 AM - edited 02-21-2020 03:51 PM
Hi,
Hope you can help. I need to allow a user access to one host on my LAN and only RDP access. I have a Cisco 2801 with IOS 12.4. VPN is working great for other users.
Is there a command that i can apply to a crytpo map or the likes to restrict certain traffic from indivduals.
Many Thanks
Stephen
07-29-2008 10:29 AM
You've not indicated whether you are referring to a site-to-site VPN, or RAVPN.
In either case, the inbound interface ACL applied to your router's external interface would be configured with an ACE(s) specifying the encapsulated IP addresses (source and destination) to be permitted. You could specify your higher layer criteria (RDP) here.
Site-to-Site:
Hopefully, the specific user/host has a persistent fixed IP. If there were ACEs specifying other far-side source addresses with access to other local resources, you wouldn't want that user/host matching those ACEs.
RAVPN:
You could specify a unique "isakmp client configuration group" for the user, with a unique IP pool of one address. This would ensure that the interface ACL (configured for the same address) enforced policy as intended.
Generally, its a bad idea to specify upper-layer criteria (e.g.: RDP) in crypto ACLs, or split-tunneling ACLs.
07-30-2008 12:15 AM
Hi Michael,
Thanks for getting back. Sorry, it is a RAVPN. and i think i've created a good config for this.
!
!
crypto isakmp client configuration group GROUP
key PASS
dns 192.168.15.10
wins 192.168.15.10
domain domain.local
pool POOL
!
ip local pool POOL 192.168.51.1 192.168.51.6
!
!
access-list 103 permit tcp 192.168.51.0 0.0.0.7 eq 3389 192.168.15.12 0.0.0.0 eq 3389 log
access-list 103 deny ip 192.168.51.0 0.0.0.7 192.168.15.0 0.0.0.255 log
access-list 103 permit ip any any
!
int fa0/0
ip access-group 103 out
!
What do you think?
Stephen
07-30-2008 07:36 AM
apply it in inbound direction on the outside interface better and less CPU intensive
07-30-2008 07:41 AM
will the outside interface still see the traffic coming from the tunnel??
07-30-2008 07:44 AM
it will terminate on that interface
sure will see it
and as the person above mentioned u can make another pool with another group name and make more restrection on that group
if u need more help let me know
try the ACL too,
good luck
07-30-2008 08:47 AM
You've not indicated whether int fa0/0 is an internal or external interface.
I'll asume that it is an "internal" interface given that you have defined the RAVPN Client addresses as the source, and the ACL has been applied "outbound".
If fa0/0 is not the internal interface, then you have applied it incorrectly.
I prefer to permit or deny connection initiation on the ingress interface. In this case that would mean applying the ACL inbound on the external interface.
From a security standpoint, it is preferable to not use "permit ip any any" at the end of your interface ACLs. It is preferable to construct your interface ACLs to only allow traffic permitted by your security policy. Anything not permitted by your security policy should be denied with "deny ip any any log" at the end of your interface ACLs. You might want to transition to this methodology in future implementations.
Are you sure you want to log every RDP packet?
Your initial post indicated that you needed to allow "a user" restricted access, so I'm not sure why you are defining a pool of multiple addresses for this "isakmp client configuration group". Are you applying the RDP restriction to one user, many, or all?
It is not clear to me whether this is to be a supplemental configuration group with restricted access, or whether this is to be the one and only configuration group.
Although I have not explored this method, I believe the access restriction could be implemented with an ACL applied to the dynamic crypto map rather than with ACEs within the interface ACL applied to the external interface. I'm not trying to get you to change your existing approach, just making light of an alternative for future reference.
e.g.:
crypto dynamic-map ravpn-map 10
set ip access-group 120 in
set transform-set xfm-3des
set isakmp-profile psk-prof-1
reverse-route
07-30-2008 06:49 PM
but with ACL(ACEs) and aaplied to the right interface with right direction will work too!!
so for the requred restrection better for to make a separate group with separate pool and make more restrection on the new pool regardless this pool will conatin one address or more it will be considered the restricted pool
with ASA we could achive the restrction on the user level himself which is easier and better
if helpful rate
07-31-2008 06:41 AM
My recommendation was (and remains) to use multiple groups, each with its own pool, and restrictions via the interface ACL.
If (in the future) he was to explore the application of ACLs in the dynamic crypto map, there would be multiple sections in the crypto map, each pointing to different profiles, which in turn point to different groups.
07-31-2008 07:23 AM
Ok Guys.
Thanks very much for all your advice. I will look into some of your suggestions at a later stage. Paticularly about applying the ACL to the Dynamic Crypto map.
For now i have carried out the exact config as above. The Fa0/0 is the inside interface. The pool is a separate pool. The crypto map is it's own separate crypto map. ALso, i have given a few IPs in the pool, beacuse i remeber reading somewhere on this forum, that if only one IP is applied, then if the user disconnects and reconnects the IP may not free from the pool quick enough. Leaving the users waiting to get back in.
Thanks for all help on this one.
Stephen
07-31-2008 07:56 AM
all good
only the crypto map
u should have only one map for all ur groups
good luck
07-31-2008 08:03 AM
Sorry man, I have only one crypto. Many groups. One group for regular users, one for the restricted user and one for site-to-site.
Cheers
Stephen
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: