Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Allowing only port 80 for Remote VPN access

Guys, I have a very quick a hopefully simple question... I have few Remote Access VPN configuration on my router and they are all good because we allow the entire subnet on the ACLs.

However, I have a special request to create a Remote Access VPN connection and ONLY allow those remote users access to a single host at a particular port (in this case port 80).

How do you put this on the crypto ACL and also on the ACL that hits the inside interface (the deny one).

It is very important that the remote users ONLY access this particular server at this particular port.

Any help?

7 REPLIES

Re: Allowing only port 80 for Remote VPN access

New Member

Re: Allowing only port 80 for Remote VPN access

This does not apply. I know how to do this. This example allows the remote vpn user to access the entire subnet at the office.

What I need is to allow the remote vpn user to access ONLY a single server at a SINGLE port (port 80).

How do I accomplish this?

Re: Allowing only port 80 for Remote VPN access

Are you allowing split tunneling? Without seeing your config, my first thought is to just block the traffic like normal:

VPN assigned addresses: 192.168.1.0/24

access-list VPN permit tcp 192.168.1.0 255.255.255.0 10.15.20.5 eq 80

access-list VPN deny ip 192.168.1.0 255.255.255.0 any

OR you can create a filter for your VPN connections and apply to the group policy:

group-policy VPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list VPN-USERS

access-list VPN-USERS permit tcp 192.168.1.0 255.255.255.0 10.15.20.5 eq 80

I don't know if the latter will work. I'm not even sure if I understand your question. Hopefully, I'm on the right track. =)

HTH,

John

HTH, John *** Please rate all useful posts ***
New Member

Re: Allowing only port 80 for Remote VPN access

ok, this looks promising... i will try it in a few minutes

Re: Allowing only port 80 for Remote VPN access

Actually it does apply - very much. You need to write an acl to do what you want to do, and the config example shows you HOW to apply an acl to a remote vpn config.

Think outside the box.

HTH>

New Member

Re: Allowing only port 80 for Remote VPN access

Ok could you tell me wich on worked as I have to do the same thing

to a VPN that comes in the outside go to an Pool 10.20.1.1 to 10.20.1.20 which alolows acces to a 172.16.10.0 subnet. need to only allow port 5151. to a specific server in that subnet 172.16.1.20.

And yes its split tunnel?? should it be?

ANy help would be appreciated.

Cisco Employee

Re: Allowing only port 80 for Remote VPN access

yes it is called split tunneling

we use it usually when remote access vpn users need to access both internal network and internet

group-policy VPN attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list VPN-USERS

access-list VPN-USERS permit tcp 192.168.1.0 255.255.255.0 10.15.20.5 eq 80

this is indeed the config

but one thing tht you need to look into is if your company policy wants your users to allow internet access as well. as this would enable internet access (through the remote users isp and not company isp) as well. if you do not want the user to have internet access when they connect to vpn then you will need to allow only the required traffic in the nat exemption acl

902
Views
0
Helpful
7
Replies
CreatePlease to create content