cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
940
Views
0
Helpful
15
Replies

VPN concentrator restrictions

scootertgm
Level 1
Level 1

We use a 3000 series concentrator to all certain users access to a restricted part of our network.

It has been setup to allow PC's to also communicate with our private addresses (a class B).

I need to deny access to a couple of IP's internally (within the class B).

Is there a way to deny access to those IP's specifically, or do I have to go in and completely re-construct the allow lists?

1 Accepted Solution

Accepted Solutions

Ivan Martinon
Level 7
Level 7

The most coherent way to do this is to use Filters and rules to deny traffic to these IP Addresses, check the following link for that:

http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/polmgt.html

Create rules and add them to a filter that then can be applied to the Group that those clients are connecting to.

On a different approach, if these vpn clients are using TunnelAll as the split tunnel policy, you can change the policy to be "exclude networks in the list to bypass the tunnel" and use a network list (that will contain those restricted hosts) then when traffic is intended for those hosts, the VPN client will not tunnel that traffic. FYI this will send traffic for those hosts with that SPLIT TUNNEL Policy to be sent int plain text, not routed, but sent in plain text by the vpn client.

View solution in original post

15 Replies 15

Ivan Martinon
Level 7
Level 7

The most coherent way to do this is to use Filters and rules to deny traffic to these IP Addresses, check the following link for that:

http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/polmgt.html

Create rules and add them to a filter that then can be applied to the Group that those clients are connecting to.

On a different approach, if these vpn clients are using TunnelAll as the split tunnel policy, you can change the policy to be "exclude networks in the list to bypass the tunnel" and use a network list (that will contain those restricted hosts) then when traffic is intended for those hosts, the VPN client will not tunnel that traffic. FYI this will send traffic for those hosts with that SPLIT TUNNEL Policy to be sent int plain text, not routed, but sent in plain text by the vpn client.

I created two rules, one for each of the IP's to block. I set the source to the "specific IP" and the destination to any IP.

I applied the rule to the filter.

How do I apply the filter to a group?

Thanks for you patience.

You need to go to Configuration | User Management, chose the group you need and edit it, then once it has been edited, you go to the General Tab and in there you have the option to specify the filter you want to use. Note be very sure that your filter and rules are set correctly else your CVPN will not pass traffic for that specific group.

Thank you for that information.

I have the two rules to drop traffic (inbound) sourcing from those IP's to any destination then the two rules for any IP inbound or outbound in the VPN client filter.

I am going on the assumption that it follows the rule list like an ACL, top down and first hit follows that rule.

I applied that filter to a group, but they are still receiving traffic from those two IP's.

Our proxy servers are communicating to the PC's on their regular DHCP address, not their VPN address.

Any other ideas?

Mhhh can you by any chance paste or upload your filter and rules setup, did you reconnect your vpn client after applying this filter?

Yes, I did disconnect and reconnect after making changes.

Attached are screenshots of one ISA rule, the only difference is the souce IP on the second rule is 91 for the last octect.

Ok, Try changing the source to be any and the destination to be your ISA box, VPN filters are sourced towards the group, in this case from the vpn pool towards the internal network.

I tried reversing the source and destinations and the associated wildcard masks.

Still no dice, they can communicate with the proxies.

Can you put a screenshot of your VPNGroup for the general setup where it show how the filter is applied?

We have several groups. This is the group I have been testing on. I made sure my "Test subject" is in the group I applied the policy to.

All looks good here, what is the default action of your filter? I would advise you to use a different filter than the ones that the CVPN has already defined there, not saying that is the reason but using a predefined one could cause an issue.

OK, I created a new filter.

I told it to forward traffic if none of the rules apply then just added the drop rules for the ISA's.

That did not work. Then I tried switching the source and destinations and that did not work either.

Any other ideas?

Sorry, I am out of Ideas here, this should work as I have implemented it several times.

If this is not working yet you might want to have a case with the TAC to check this out, or you can try to use this split tunnel policy thought I had before too.

Well I did it the "Hard way". In the allowed networks, I added multiple networks up to the proxy address, then skipped them and added networks after them.

Basically,instead of

x.x.x.0/0.0.127.255

I used:

x.x.x.0/0.0.0.63

x.x.x.64/0.0.0.15

x.x.x.80/0.0.0.7

x.x.x.88/0.0.0.1

x.x.x.92/0.0.0.3

x.x.x.96/0.0.0.31

x.x.x.128/0.0.0.127

x.x.1.0/0.0.0.255

x.x.2.0/0.0.1.255

x.x.4.0/0.0.3.255

x.x.8.0/0.0.7.255

x.x.16.0/0.0.15.255

x.x.32.0/0.0.31.255

x.x.64.0/0.0.63.255

So far so good.

I really appreciate your efforts on trying to help with this.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: