Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can I limit VPN access just to a certain server?

Is it possible to limit access to a particular server ie mail server. Do I do this by user or can I create a group. Our authentication right now is through our NT domain. Can I use this or do I have to create an internal group.

2 REPLIES
Cisco Employee

Re: Can I limit VPN access just to a certain server?

It would help if you told us what you're connecting to, and what client you're using. I'm going to assume this is a VPN3000 concentrator going by some of your references to groups and authentication.

Easiest way to do this is to create a new group that only allows access to this one server, then put those particular users into that group. Limiting access can be done one of two ways. Easiest is to set up split tunneling for this group and only include that server IP address in the network list. Another way to do it (more standard) is to create a filter that only allows access to this, then apply that to this new group.

To create a filter, read on:

---------------------------------------------------------------------------------

Setting up filters to block tunnelled traffic from accessing internal hosts on a VPN3000 concentrator

Allow access to 10.1.1.2 and block everything else:

To block access to everything but 10.10.1.2, create a rule that is Inbound/Forward, Source of Anything, Destination of 10.1.1.2/0.0.0.0. Create another rule, it can be left at the defaults which is Inbound, Drop, Source of anything, Dest of anything. Create a filter with default action of forward and add both your new rules to it, making sure the rule that allows access to the host 10.1.12 is ABOVE the default rule that will drop everything else.

Block access to 10.1.1.2 and allow everything else:

To allow access to everything except 10.10.1.2, create a rule that says Inbound, Drop, Source of anything and Destination of 10.10.1.2/0.0.0.0. Add a filter who's default action is to forward, and add the rule to that filter.

Notes:

- You can allow or block access to whole subnets simply by changing your address/mask combination to something like: 10.1.1.0/0.0.0.255

----------------------------------------------------------------------------

New Member

Re: Can I limit VPN access just to a certain server?

Sorry. Yes I am connecting to a 3015 via cisco's VPN CLient 3.6.2. Thanks for the reply I will try doing a filter.

92
Views
5
Helpful
2
Replies