Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LAN access of VPN clients

I have been setting up VPN connection using VPN 3005 for the Remote access vpn clients and site-to-site connections. I have no problem with the connections, the vpn clients could now connect to the private network through tunneled. But I want to limit the access of the vpn clients on my inside network to allow only 4 servers for them to be access. I've tried to configure the specific IPs of those 4 servers on the Network Lists of the VPN concentrator but still all the PCs on the whole subnet of my private network are transparent to them. Is there something wrong with my config with network lists? Does the VPN concentrator has capable of filtering of IPs or access-list?

Here aremy entries from the Network Lists:

List name: server1

192.168.10.1/0.0.0.0

List name: server2

192.168.10.2/0.0.0.0

List name: server3

192.168.10.3/0.0.0.0

List name: server4

192.168.10.4/0.0.0.0

Thank you in advance!!

regards,

jmps

7 REPLIES
Silver

Re: LAN access of VPN clients

to specify a single host, the subnet mask should be 255.255.255.255. you might want to try that

New Member

Re: LAN access of VPN clients

thank you for your time to reply...

but, i need to define this on the network list, right? if so, to specify a single host, a wildcard should be use instead of mask...

New Member

Re: LAN access of VPN clients

That is correct.. the network lists lok for a wildcard. I am intrested to see hoe this will work because I am looking to do the same thing

New Member

Re: LAN access of VPN clients

If you want the connected vpn client to only access certain devices, list them all on one netwrok list together and apply that list to the group that the clients are a member of.

ie.

network list - servers-only

192.168.0.1/0.0.0.0

192.168.0.2/0.0.0.0

192.168.0.3/0.0.0.0

192.168.0.4/0.0.0.0

In the settings for the group that the vpn clients belong to, enable split tunneling and specify the servers-only network list as the list that they can connect to.

cofiguration/user management/groups/WHATEVER GROUP YOU USE FOR VPN CLIENTS/client config/split tunneling policy

THEN

split tunneling network list/servers-only

Regards,

Steve

New Member

Re: LAN access of VPN clients

You can also just configure network filters in the 3000 and apply those to the groups.

http://www.cisco.com/en/US/tech/tk583/tk547/technologies_configuration_example09186a0080094eac.shtml

Regards,

Jason

New Member

Re: LAN access of VPN clients

Hi Jason I had the same problem and I saw this url. Sincereley even if following it all function well it's not very clear to me the logic behind this filtering.

First, I supposed that when a packet doesn't match a rule it should be dropped by the filter action. Infact in the filter action explanation you should configure what happens when packet doesn't match the rule associated. In the example there is written "forward" !!!!.

Second it shouldn't be necessary to configure a rule with deny any any since in IOS also this deny is implicit.

So is there any documentation where the filtering is explained more completely ?

Thanks

Marco

New Member

Re: LAN access of VPN clients

On a 3005 software version 3.6 you can specify local and remote network lists for a lan to lan. For clients you can specify split tunneling network lists. So you might consider setting up your clients to use split tunneling and specify a custom network list that looks like:

192.168.10.1/0.0.0.0

192.168.10.2/0.0.0.0

192.168.10.3/0.0.0.0

192.168.10.4/0.0.0.0

160
Views
0
Helpful
7
Replies
CreatePlease login to create content