Allowing only port 80 for Remote VPN access

Unanswered Question
Jan 17th, 2009
User Badges:

Guys, I have a very quick a hopefully simple question... I have few Remote Access VPN configuration on my router and they are all good because we allow the entire subnet on the ACLs.

However, I have a special request to create a Remote Access VPN connection and ONLY allow those remote users access to a single host at a particular port (in this case port 80).

How do you put this on the crypto ACL and also on the ACL that hits the inside interface (the deny one).

It is very important that the remote users ONLY access this particular server at this particular port.

Any help?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
insccisco Mon, 01/19/2009 - 12:59
User Badges:

This does not apply. I know how to do this. This example allows the remote vpn user to access the entire subnet at the office.

What I need is to allow the remote vpn user to access ONLY a single server at a SINGLE port (port 80).

How do I accomplish this?

John Blakley Mon, 01/19/2009 - 13:08
User Badges:
  • Purple, 4500 points or more

Are you allowing split tunneling? Without seeing your config, my first thought is to just block the traffic like normal:

VPN assigned addresses:

access-list VPN permit tcp eq 80

access-list VPN deny ip any

OR you can create a filter for your VPN connections and apply to the group policy:

group-policy VPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list VPN-USERS

access-list VPN-USERS permit tcp eq 80

I don't know if the latter will work. I'm not even sure if I understand your question. Hopefully, I'm on the right track. =)



insccisco Wed, 01/21/2009 - 07:30
User Badges:

ok, this looks promising... i will try it in a few minutes

andrew.prince@m... Mon, 01/19/2009 - 13:11
User Badges:
  • Green, 3000 points or more

Actually it does apply - very much. You need to write an acl to do what you want to do, and the config example shows you HOW to apply an acl to a remote vpn config.

Think outside the box.


pskipton01 Sat, 07/24/2010 - 05:10
User Badges:

Ok could you tell me wich on worked as I have to do the same thing

to a VPN that comes in the outside go to an Pool to which alolows acces to a subnet. need to only allow port 5151. to a specific server in that subnet

And yes its split tunnel?? should it be?

ANy help would be appreciated.

Jitendriya Athavale Sat, 07/24/2010 - 07:49
User Badges:
  • Cisco Employee,

yes it is called split tunneling

we use it usually when remote access vpn users need to access both internal network and internet

group-policy VPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list VPN-USERS

access-list VPN-USERS permit tcp eq 80

this is indeed the config

but one thing tht you need to look into is if your company policy wants your users to allow internet access as well. as this would enable internet access (through the remote users isp and not company isp) as well. if you do not want the user to have internet access when they connect to vpn then you will need to allow only the required traffic in the nat exemption acl


This Discussion