cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2735
Views
0
Helpful
7
Replies

Allowing only port 80 for Remote VPN access

insccisco
Level 1
Level 1

Guys, I have a very quick a hopefully simple question... I have few Remote Access VPN configuration on my router and they are all good because we allow the entire subnet on the ACLs.

However, I have a special request to create a Remote Access VPN connection and ONLY allow those remote users access to a single host at a particular port (in this case port 80).

How do you put this on the crypto ACL and also on the ACL that hits the inside interface (the deny one).

It is very important that the remote users ONLY access this particular server at this particular port.

Any help?

7 Replies 7

andrew.prince
Level 10
Level 10

This does not apply. I know how to do this. This example allows the remote vpn user to access the entire subnet at the office.

What I need is to allow the remote vpn user to access ONLY a single server at a SINGLE port (port 80).

How do I accomplish this?

Are you allowing split tunneling? Without seeing your config, my first thought is to just block the traffic like normal:

VPN assigned addresses: 192.168.1.0/24

access-list VPN permit tcp 192.168.1.0 255.255.255.0 10.15.20.5 eq 80

access-list VPN deny ip 192.168.1.0 255.255.255.0 any

OR you can create a filter for your VPN connections and apply to the group policy:

group-policy VPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list VPN-USERS

access-list VPN-USERS permit tcp 192.168.1.0 255.255.255.0 10.15.20.5 eq 80

I don't know if the latter will work. I'm not even sure if I understand your question. Hopefully, I'm on the right track. =)

HTH,

John

HTH, John *** Please rate all useful posts ***

ok, this looks promising... i will try it in a few minutes

Actually it does apply - very much. You need to write an acl to do what you want to do, and the config example shows you HOW to apply an acl to a remote vpn config.

Think outside the box.

HTH>

Ok could you tell me wich on worked as I have to do the same thing

to a VPN that comes in the outside go to an Pool 10.20.1.1 to 10.20.1.20 which alolows acces to a 172.16.10.0 subnet. need to only allow port 5151. to a specific server in that subnet 172.16.1.20.

And yes its split tunnel?? should it be?

ANy help would be appreciated.

yes it is called split tunneling

we use it usually when remote access vpn users need to access both internal network and internet

group-policy VPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list VPN-USERS

access-list VPN-USERS permit tcp 192.168.1.0 255.255.255.0 10.15.20.5 eq 80

this is indeed the config

but one thing tht you need to look into is if your company policy wants your users to allow internet access as well. as this would enable internet access (through the remote users isp and not company isp) as well. if you do not want the user to have internet access when they connect to vpn then you will need to allow only the required traffic in the nat exemption acl

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: