01-17-2009 03:51 PM - edited 03-11-2019 07:38 AM
Guys, I have a very quick a hopefully simple question... I have few Remote Access VPN configuration on my router and they are all good because we allow the entire subnet on the ACLs.
However, I have a special request to create a Remote Access VPN connection and ONLY allow those remote users access to a single host at a particular port (in this case port 80).
How do you put this on the crypto ACL and also on the ACL that hits the inside interface (the deny one).
It is very important that the remote users ONLY access this particular server at this particular port.
Any help?
01-19-2009 06:21 AM
Use the below link as a resource for the config example:-
HTH>
01-19-2009 12:59 PM
This does not apply. I know how to do this. This example allows the remote vpn user to access the entire subnet at the office.
What I need is to allow the remote vpn user to access ONLY a single server at a SINGLE port (port 80).
How do I accomplish this?
01-19-2009 01:08 PM
Are you allowing split tunneling? Without seeing your config, my first thought is to just block the traffic like normal:
VPN assigned addresses: 192.168.1.0/24
access-list VPN permit tcp 192.168.1.0 255.255.255.0 10.15.20.5 eq 80
access-list VPN deny ip 192.168.1.0 255.255.255.0 any
OR you can create a filter for your VPN connections and apply to the group policy:
group-policy VPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list VPN-USERS
access-list VPN-USERS permit tcp 192.168.1.0 255.255.255.0 10.15.20.5 eq 80
I don't know if the latter will work. I'm not even sure if I understand your question. Hopefully, I'm on the right track. =)
HTH,
John
01-21-2009 07:30 AM
ok, this looks promising... i will try it in a few minutes
01-19-2009 01:11 PM
Actually it does apply - very much. You need to write an acl to do what you want to do, and the config example shows you HOW to apply an acl to a remote vpn config.
Think outside the box.
HTH>
07-24-2010 05:10 AM
Ok could you tell me wich on worked as I have to do the same thing
to a VPN that comes in the outside go to an Pool 10.20.1.1 to 10.20.1.20 which alolows acces to a 172.16.10.0 subnet. need to only allow port 5151. to a specific server in that subnet 172.16.1.20.
And yes its split tunnel?? should it be?
ANy help would be appreciated.
07-24-2010 07:49 AM
yes it is called split tunneling
we use it usually when remote access vpn users need to access both internal network and internet
group-policy VPN attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list VPN-USERS
access-list VPN-USERS permit tcp 192.168.1.0 255.255.255.0 10.15.20.5 eq 80
this is indeed the config
but one thing tht you need to look into is if your company policy wants your users to allow internet access as well. as this would enable internet access (through the remote users isp and not company isp) as well. if you do not want the user to have internet access when they connect to vpn then you will need to allow only the required traffic in the nat exemption acl
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: