09-21-2003 04:28 PM - edited 02-21-2020 12:47 PM
I have been setting up VPN connection using VPN 3005 for the Remote access vpn clients and site-to-site connections. I have no problem with the connections, the vpn clients could now connect to the private network through tunneled. But I want to limit the access of the vpn clients on my inside network to allow only 4 servers for them to be access. I've tried to configure the specific IPs of those 4 servers on the Network Lists of the VPN concentrator but still all the PCs on the whole subnet of my private network are transparent to them. Is there something wrong with my config with network lists? Does the VPN concentrator has capable of filtering of IPs or access-list?
Here aremy entries from the Network Lists:
List name: server1
192.168.10.1/0.0.0.0
List name: server2
192.168.10.2/0.0.0.0
List name: server3
192.168.10.3/0.0.0.0
List name: server4
192.168.10.4/0.0.0.0
Thank you in advance!!
regards,
jmps
09-22-2003 07:10 AM
to specify a single host, the subnet mask should be 255.255.255.255. you might want to try that
09-23-2003 04:27 PM
thank you for your time to reply...
but, i need to define this on the network list, right? if so, to specify a single host, a wildcard should be use instead of mask...
10-06-2003 09:52 AM
That is correct.. the network lists lok for a wildcard. I am intrested to see hoe this will work because I am looking to do the same thing
10-07-2003 05:15 AM
If you want the connected vpn client to only access certain devices, list them all on one netwrok list together and apply that list to the group that the clients are a member of.
ie.
network list - servers-only
192.168.0.1/0.0.0.0
192.168.0.2/0.0.0.0
192.168.0.3/0.0.0.0
192.168.0.4/0.0.0.0
In the settings for the group that the vpn clients belong to, enable split tunneling and specify the servers-only network list as the list that they can connect to.
cofiguration/user management/groups/WHATEVER GROUP YOU USE FOR VPN CLIENTS/client config/split tunneling policy
THEN
split tunneling network list/servers-only
Regards,
Steve
10-07-2003 11:25 AM
You can also just configure network filters in the 3000 and apply those to the groups.
http://www.cisco.com/en/US/tech/tk583/tk547/technologies_configuration_example09186a0080094eac.shtml
Regards,
Jason
10-10-2003 06:41 AM
Hi Jason I had the same problem and I saw this url. Sincereley even if following it all function well it's not very clear to me the logic behind this filtering.
First, I supposed that when a packet doesn't match a rule it should be dropped by the filter action. Infact in the filter action explanation you should configure what happens when packet doesn't match the rule associated. In the example there is written "forward" !!!!.
Second it shouldn't be necessary to configure a rule with deny any any since in IOS also this deny is implicit.
So is there any documentation where the filtering is explained more completely ?
Thanks
Marco
10-13-2003 05:50 PM
On a 3005 software version 3.6 you can specify local and remote network lists for a lan to lan. For clients you can specify split tunneling network lists. So you might consider setting up your clients to use split tunneling and specify a custom network list that looks like:
192.168.10.1/0.0.0.0
192.168.10.2/0.0.0.0
192.168.10.3/0.0.0.0
192.168.10.4/0.0.0.0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: