Limit Access to VPN

Unanswered Question
Mar 19th, 2010

First off, we are "New" to the Cisco Firewall/VPN appliance.  Temporarily we are using an ASA 5510 VPN applianvce to allow limited users access to another state agencies Investigation WEB application.  (We are in the process of purcnasing a pure VPN appliance.)  We have it configured and are able to access the WEB app.  However, we want to be able to limit access to the VPN to specific users/PCs.  We have individual User accounts created, with passwords.  As of yet, we don't have AD, we are a Netware 6.5.8 shop with eDirectory 8.8.5.  Is it possible to limit VPN access to Specific IP addresses??  All our PC have static IP addresses.

I've looked around the ASDM Interface and don't readily see any where to set this up.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sat, 03/20/2010 - 00:53

What do you mean to limit VPN access to specific ip addresses?

If what you mean is once user is connected, you only want them to access specific ip address and/or application (protocol/port), you can configure "vpn-filter" within the group-policy.

cpremo Sat, 03/20/2010 - 19:34

Let me try to make it clear.  We have 13 PCs in our WAN network (1 ea at 12 District offices) that need to access to the VPN appliance.  All other PCs on our WAN network need to be blocked from accessing the VPN appliance. (NOTE: We need to ensure no PC outside of our WAN will be able to access this VPN appliance either.)  The VPN appliance will give those 13 PCs access to another State Agencies WEB site in their LAN (access is STRICTLY limited).  We have a router to their environment at our HQ Office and have placed the ASA 5510 between our WAN and that router.  We already have an ACL on our Outbound Router to the cloud that blocks the IP of those 13 PCs from being able to see the outside.  But we need the 13 PCs to "talk" to our WSUS and ePO servers (which are located in our HQ Office).  Here is what I would like to happen:

                                                  (This is already Working)

IP Address                                  VPN User Account

Internal (Class C)                         assigned specific IP

XXX.XXX.96.138    --->   VPN  --->  XXX.XXX.XXX.130

XXX.XXX.106.148  --->   VPN  --->  XXX.XXX.XXX.138

XXX.XXX.25.1       --->   VPN  --->  XXX.XXX.XXX.140

All other IPs in

Our WAN

XXX.XXX.96.XXX    --->   VPN  --->  Rejected

XXX.XXX.106.XXX  --->   VPN  --->  Rejected

XXX.XXX.25.XXX    --->   VPN  --->  Rejected

XXX.XXX.24.XXX    --->   VPN  --->  Rejected

Hope this is clearer.

bobby.armstrong Sun, 03/21/2010 - 00:33

Couldn't you achieve what you're trying to do via ACLs? For instance, you create something like:

access-list 101 deny ip x.x.96.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 101 deny ip x.x.106.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 101 deny ip x.x.25.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 101 deny ip x.x.24.x 255.255.255.0 x.x.x.x 255.255.255.0

access-list 101 permit ip x.x.96.138 255.255.255.255 x.x.x.130 255.255.255.255

access-list 101 permit ip x.x.106.148 255.255.255.255 x.x.x.138 255.255.255.255

access-list 101 permit ip x.x.25.1 255.255.255.255 x.x.x.140 255.255.255.255

And apply it to your crypto map like this:

crypto map mymap 10 match address 101

You'll have to create your deny list for the IP range you want to block and then you'll need to create a permit list for the IP addresses you want to allow access.

cpremo Sun, 03/21/2010 - 15:43

Not sure how to implement considering what we've already configured.  Do we need to change to make managment easier?  Here is what we currently have (as shown by "Show Run"):

*******************************************************************************

;this is the IP range of the other agencies LAN after our VPN appliance
access-list split standard permit XXX.0.0.0 255.0.0.0

;This an explicit permit for my PC.  What I want to move to is a "group permit" (i.e. the "Management-PCs" object-group)
access-list split standard permit host XXX.XXX.XX.236
;this is the IP range of the other agencies LAN after our VPN appliance
access-list MBC-Private_nat0_outbound extended permit ip XXX.XX.XXX.0 255.255.255.0 any
access-list MBC-Private_access_in extended deny ip any any
access-list MBC-Private_access_in extended permit ip object-group Management-PCs any
access-list MBC-Private_access_in extended permit tcp host XXX.XXX.XX.236 any object-group DM_INLINE_TCP_1
access-list MBC-Private_access_in extended deny ip XXX.XXX.24.0 255.255.255.0 any

crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn 10 set pfs group1
crypto dynamic-map dyn 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dyn
crypto map mymap interface MBC-Private
crypto isakmp enable MBC-Private
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal

**********************************************************************************************************

Also not sure about what you shown for the ACLs.  Do you mean the denies should end up looking like this:

access-list 101 deny ip x.x.96.1 255.255.255.0 x.x.96.255 255.255.255.0

access-list 101 deny ip x.x.106.1 255.255.255.0 x.x.106.255 255.255.255.0

access-list 101 deny ip x.x.25.1 255.255.255.0 x.x.25.255x 255.255.255.0

access-list 101 deny ip x.x.24.1 255.255.255.0 x.x.24.255 255.255.255.0

And then how do I work on the "crypto" based on what I currently have?

crypto map mymap 10 match address 101

Jennifer Halim Sun, 03/21/2010 - 20:43

Definitely don't recommend configuring "deny" statement on your crypto ACL, and normally crypto ACL is configured for LAN-to-LAN tunnel only.

Can you please confirm whether your setup is a remote access VPN? If that is the case, as advised earlier, you can use vpn-filter to restrict traffic.

cpremo Mon, 03/22/2010 - 07:40

This VPN Appliance is ONLY for use by PC inside our WAN.  Its purpose is to gain access to an Application located at another State Agency (Outside of our WAN).  I know normally you don't restrict IP access to the VPN services since it is usually used to gain access to your WAN from the ouside.  Having said that, we would like to limit access to the IPs we specify and block all other IPs in our WAN from the VPN services.

How else can you do this if you don't set up a deny????

Jennifer Halim Sun, 03/21/2010 - 01:31

Sorry, I assume that your user uses VPN Client to access the internal network, right?

User 1 for example is assigned ip address of XXX.XXX.XXX.130 when they are connected via VPN, and you only want user 1 to access XXX.XXX.96.138 but nothing else? And currently you are using local database for user authentication?

Is the above statement correct? If it is, then you can configure the following.

access-list user1-acl permit ip host XXX.XXX.XXX.130 host XXX.XXX.96.138

username attributes

     vpn-filter value user1-acl

Actions

This Discussion