VPN concentrator restrictions

Answered Question
Jan 12th, 2009
User Badges:

We use a 3000 series concentrator to all certain users access to a restricted part of our network.


It has been setup to allow PC's to also communicate with our private addresses (a class B).


I need to deny access to a couple of IP's internally (within the class B).


Is there a way to deny access to those IP's specifically, or do I have to go in and completely re-construct the allow lists?

Correct Answer by Ivan Martinon about 8 years 3 months ago

The most coherent way to do this is to use Filters and rules to deny traffic to these IP Addresses, check the following link for that:


http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/polmgt.html


Create rules and add them to a filter that then can be applied to the Group that those clients are connecting to.


On a different approach, if these vpn clients are using TunnelAll as the split tunnel policy, you can change the policy to be "exclude networks in the list to bypass the tunnel" and use a network list (that will contain those restricted hosts) then when traffic is intended for those hosts, the VPN client will not tunnel that traffic. FYI this will send traffic for those hosts with that SPLIT TUNNEL Policy to be sent int plain text, not routed, but sent in plain text by the vpn client.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Ivan Martinon Mon, 01/12/2009 - 09:53
User Badges:
  • Cisco Employee,

The most coherent way to do this is to use Filters and rules to deny traffic to these IP Addresses, check the following link for that:


http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/polmgt.html


Create rules and add them to a filter that then can be applied to the Group that those clients are connecting to.


On a different approach, if these vpn clients are using TunnelAll as the split tunnel policy, you can change the policy to be "exclude networks in the list to bypass the tunnel" and use a network list (that will contain those restricted hosts) then when traffic is intended for those hosts, the VPN client will not tunnel that traffic. FYI this will send traffic for those hosts with that SPLIT TUNNEL Policy to be sent int plain text, not routed, but sent in plain text by the vpn client.


scootertgm Mon, 01/12/2009 - 12:56
User Badges:

I created two rules, one for each of the IP's to block. I set the source to the "specific IP" and the destination to any IP.


I applied the rule to the filter.


How do I apply the filter to a group?


Thanks for you patience.

Ivan Martinon Mon, 01/12/2009 - 13:04
User Badges:
  • Cisco Employee,

You need to go to Configuration | User Management, chose the group you need and edit it, then once it has been edited, you go to the General Tab and in there you have the option to specify the filter you want to use. Note be very sure that your filter and rules are set correctly else your CVPN will not pass traffic for that specific group.

scootertgm Mon, 01/12/2009 - 13:29
User Badges:

Thank you for that information.


I have the two rules to drop traffic (inbound) sourcing from those IP's to any destination then the two rules for any IP inbound or outbound in the VPN client filter.


I am going on the assumption that it follows the rule list like an ACL, top down and first hit follows that rule.


I applied that filter to a group, but they are still receiving traffic from those two IP's.


Our proxy servers are communicating to the PC's on their regular DHCP address, not their VPN address.


Any other ideas?

Ivan Martinon Mon, 01/12/2009 - 13:42
User Badges:
  • Cisco Employee,

Mhhh can you by any chance paste or upload your filter and rules setup, did you reconnect your vpn client after applying this filter?

scootertgm Mon, 01/12/2009 - 13:51
User Badges:

Yes, I did disconnect and reconnect after making changes.


Attached are screenshots of one ISA rule, the only difference is the souce IP on the second rule is 91 for the last octect.





Ivan Martinon Mon, 01/12/2009 - 13:57
User Badges:
  • Cisco Employee,

Ok, Try changing the source to be any and the destination to be your ISA box, VPN filters are sourced towards the group, in this case from the vpn pool towards the internal network.

scootertgm Mon, 01/12/2009 - 14:07
User Badges:

I tried reversing the source and destinations and the associated wildcard masks.


Still no dice, they can communicate with the proxies.

Ivan Martinon Mon, 01/12/2009 - 14:12
User Badges:
  • Cisco Employee,

Can you put a screenshot of your VPNGroup for the general setup where it show how the filter is applied?

scootertgm Mon, 01/12/2009 - 14:16
User Badges:

We have several groups. This is the group I have been testing on. I made sure my "Test subject" is in the group I applied the policy to.





Ivan Martinon Mon, 01/12/2009 - 14:19
User Badges:
  • Cisco Employee,

All looks good here, what is the default action of your filter? I would advise you to use a different filter than the ones that the CVPN has already defined there, not saying that is the reason but using a predefined one could cause an issue.

scootertgm Mon, 01/12/2009 - 14:32
User Badges:

OK, I created a new filter.


I told it to forward traffic if none of the rules apply then just added the drop rules for the ISA's.


That did not work. Then I tried switching the source and destinations and that did not work either.


Any other ideas?

Ivan Martinon Mon, 01/12/2009 - 14:36
User Badges:
  • Cisco Employee,

Sorry, I am out of Ideas here, this should work as I have implemented it several times.


If this is not working yet you might want to have a case with the TAC to check this out, or you can try to use this split tunnel policy thought I had before too.

scootertgm Tue, 01/13/2009 - 07:31
User Badges:

Well I did it the "Hard way". In the allowed networks, I added multiple networks up to the proxy address, then skipped them and added networks after them.


Basically,instead of


x.x.x.0/0.0.127.255


I used:


x.x.x.0/0.0.0.63

x.x.x.64/0.0.0.15

x.x.x.80/0.0.0.7

x.x.x.88/0.0.0.1

x.x.x.92/0.0.0.3

x.x.x.96/0.0.0.31

x.x.x.128/0.0.0.127

x.x.1.0/0.0.0.255

x.x.2.0/0.0.1.255

x.x.4.0/0.0.3.255

x.x.8.0/0.0.7.255

x.x.16.0/0.0.15.255

x.x.32.0/0.0.31.255

x.x.64.0/0.0.63.255


So far so good.


I really appreciate your efforts on trying to help with this.

scootertgm Mon, 01/12/2009 - 14:02
User Badges:

Thank you for that information.


I have the two rules to drop traffic (inbound) sourcing from those IP's to any destination then the two rules for any IP inbound or outbound in the VPN client filter.


I am going on the assumption that it follows the rule list like an ACL, top down and first hit follows that rule.


I applied that filter to a group, but they are still receiving traffic from those two IP's.


Our proxy servers are communicating to the PC's on their regular DHCP address, not their VPN address.


Any other ideas?

Actions

This Discussion