08-08-2008 08:00 AM - edited 03-11-2019 06:28 AM
Greetings,
I need to set up a VPN client to be able to access ONLY a single host on multiple ports.
08-08-2008 08:36 AM
if u use local database for usernames
go to user attribute
like
username [usernae] attributes
vpn-filter value 102
vpn-framed-ip-address 192.168.50.1 255.255.255.255
access-lsit 102 permit tcp host 192.168.50.1 host [server ip] eq [port number]
and so on
the above command asume u hae software 7.x or later
good luck
please rate if helful
08-08-2008 09:22 AM
Any other options under software version 6.3(4)?
08-08-2008 10:02 AM
u can restrect all the vpn users by
creating an acl sourced from the vpn clients pool to the host server as a destination with the required port number
and apply it on the outside interface in the inbound direction
08-08-2008 10:22 AM
I appreciate all of your help. I kinda new at this.
So - I believe I have all of the pieces for both the VPN clients and the site-to-site listed below. What would I need to add?
crypto ipsec transform-set vpnipsec esp-des esp-md5-hmac
crypto ipsec transform-set vpnclient esp-des esp-md5-hmac
crypto dynamic-map vpnconct 1 set transform-set vpnclient
crypto map vpnmap 40 ipsec-isakmp
crypto map vpnmap 40 match address ipsec_peer
crypto map vpnmap 40 set peer ...
crypto map vpnmap 40 set transform-set vpnipsec
crypto map vpnmap 99 ipsec-isakmp dynamic vpnconct
crypto map vpnmap interface outside
isakmp enable outside
isakmp key ******** address ... netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
vpngroup vpnclient address-pool client
vpngroup vpnclient default-domain cisco.com
vpngroup vpnclient idle-time 1800
vpngroup vpnclient password *******
nat (inside) 0 access-list 110
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
access-group inbound in interface outside
sysopt connection permit-ipsec
access-list ipsec_peer permit ip 192.168.5.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list ipsec_peer permit ip 192.168.5.0 255.255.255.0 172.17.0.0 255.255.0.0
access-list ipsec_peer permit ip host .... host 172.17.5.101
access-list 110 permit ip 192.168.5.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 110 permit ip 192.168.5.0 255.255.255.0 172.17.0.0 255.255.0.0
access-list 110 permit ip host .... host 172.17.5.101
access-list inbound permit icmp any any echo-reply
08-08-2008 06:25 PM
first of all
remove the sysopt connection permit-ipsec because this will permit all ipsec traffic
now any ipsec connection is denied after we remove that line
so we need to start make the permition line by line
first make what trrafic should be allwoed to ur firewall
and at the end any think not included in the permit statemt in the ACL we gonna make will be denied
first i couldnt see the vpn client address pool so i will assume the client pool is in the range of 10.1.1.0/24
and the server u want to make restrection on
is 192.168.5.5
and the remote site ranges are
172.16.0.0/16
172.17.0.0/16
lets say u wanna all vpn client access only http and smtp on the server
andthe 172.16.0.0/16 have full access to the server only while no access to ur lan
and 172.17.0.0/16 will have access to the whole lan and the server
as follow:
access-list 100 pemmit tcp 10.1.1.0 255.255.255.0 host 192.168.5.5 eq 80
access-list 100 pemmit tcp 10.1.1.0 255.255.255.0 host 192.168.5.5 eq 25
access-list 100 pemmit ip 172.16.0.0 255.255.0.0 host 192.168.5.5
access-list 100 pemmit ip 172.17.0.0 255.255.0.0 192.168.5.0 255.255.255.0
now apply this ACL inbound on ur outside interface
befor that do
no access-group inbound in interface outside
then
access-group 100 in interface outside
hope this was good example of how u can make restrection
good luck
please, if helpful rate
08-11-2008 06:38 AM
Sorry - didn't include the following in the config.
ip local pool client 192.168.5.20-192.168.5.30
so .... could I simply add
access-list 100 permit tcp 192.168.5.20-192.168.5.30 host 192.168.5.5 eq 80
etc. (for the other ports)
Would I then need to add a deny somewhere to prevent the VPN client from accessing any other hosts behind the PIX?
Again, I really appreciate all of the help you're providing. I think we're getting close ... ;-)
08-11-2008 07:06 AM
first
in cisco routers or firewalls
if u make an ACL
for example
permit somthing to smthing
only, by default there is a deny statment called implicite deny
so evry thing els will be denied by default unless u put permit any any
so in ur case u can add deny any at the end or u cant not either way they will be dedied ffrom evrything not allowed explicitly by permit staement
if u want make it ,ike
access-list 100 permit tcp 192.168.5.0 255.255.255.0 host 192.168.5.5 eq 80
access-list 100 deny ip any any
by the way i suggest u to u se deffrent ip range for vpn users not the same as the server
like 192.168.50.0/24
any way good luck
please, if helpful rate
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide