Allowing only port 80 for Remote VPN access

Unanswered Question
Jan 17th, 2009
User Badges:

Guys, I have a very quick a hopefully simple question... I have few Remote Access VPN configuration on my router and they are all good because we allow the entire subnet on the ACLs.


However, I have a special request to create a Remote Access VPN connection and ONLY allow those remote users access to a single host at a particular port (in this case port 80).


How do you put this on the crypto ACL and also on the ACL that hits the inside interface (the deny one).


It is very important that the remote users ONLY access this particular server at this particular port.


Any help?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
insccisco Mon, 01/19/2009 - 12:59
User Badges:

This does not apply. I know how to do this. This example allows the remote vpn user to access the entire subnet at the office.


What I need is to allow the remote vpn user to access ONLY a single server at a SINGLE port (port 80).


How do I accomplish this?

John Blakley Mon, 01/19/2009 - 13:08
User Badges:
  • Purple, 4500 points or more

Are you allowing split tunneling? Without seeing your config, my first thought is to just block the traffic like normal:


VPN assigned addresses: 192.168.1.0/24


access-list VPN permit tcp 192.168.1.0 255.255.255.0 10.15.20.5 eq 80

access-list VPN deny ip 192.168.1.0 255.255.255.0 any


OR you can create a filter for your VPN connections and apply to the group policy:


group-policy VPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list VPN-USERS


access-list VPN-USERS permit tcp 192.168.1.0 255.255.255.0 10.15.20.5 eq 80


I don't know if the latter will work. I'm not even sure if I understand your question. Hopefully, I'm on the right track. =)


HTH,


John

insccisco Wed, 01/21/2009 - 07:30
User Badges:

ok, this looks promising... i will try it in a few minutes

pskipton01 Sat, 07/24/2010 - 05:10
User Badges:

Ok could you tell me wich on worked as I have to do the same thing

to a VPN that comes in the outside go to an Pool 10.20.1.1 to 10.20.1.20 which alolows acces to a 172.16.10.0 subnet. need to only allow port 5151. to a specific server in that subnet 172.16.1.20.


And yes its split tunnel?? should it be?


ANy help would be appreciated.

Jitendriya Athavale Sat, 07/24/2010 - 07:49
User Badges:
  • Cisco Employee,

yes it is called split tunneling


we use it usually when remote access vpn users need to access both internal network and internet


group-policy VPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list VPN-USERS


access-list VPN-USERS permit tcp 192.168.1.0 255.255.255.0 10.15.20.5 eq 80


this is indeed the config


but one thing tht you need to look into is if your company policy wants your users to allow internet access as well. as this would enable internet access (through the remote users isp and not company isp) as well. if you do not want the user to have internet access when they connect to vpn then you will need to allow only the required traffic in the nat exemption acl

Actions

This Discussion