08-20-2003 03:14 AM - edited 02-21-2020 12:43 PM
I have a PIX with a dynamic cryptomap for remote VPN clients. Does anyone know the best method to restrict each vpngroup to access only certain internal destination IP addresses? thanks.
08-20-2003 05:58 AM
If each vpngroup has a unique local ip pool, you could write ACLs blocking them and apply them inbound to the inside int:
netadmins ip local pool - 192.168.0.0/28
vendors ip local pool - 192.168.0.16/28
access-list insideint deny xxxxxx xxxxxx 192.168.0.16 255.255.255.240
access-list insideint permit ip any any
this only blocks return traffic from restricted servers to vendors. A evil vendor could still attack servers with connectionless protocols like UDP - they could syslog bomb a server, or send snmp commands, etc.
If you could group all of your servers within a netblock, you could write an acl for a crypto map, and come up wtih a vpn setup that would only allow them to communicate with that netblock. I can't think of any other methods.
08-20-2003 07:18 PM
Why not run a split tunnel configuration, with only the hosts you want to allow them access to in the ACL? Each VPN group can have it's own split-tunnel ACL, so different groups will get different access.
Something like:
vpngroup GROUP1 address-pool GROUP1-ADDRESS-POOL
vpngroup GROUP1 dns-server A.A.A.A
vpngroup GROUP1 wins-server B.B.B.B
vpngroup GROUP1 default-domain domain.com
vpngroup GROUP1 split-tunnel GROUP1-SPLIT-TUNNEL-LIST
vpngroup GROUP1 idle-time 1800
vpngroup GROUP1 password ********
Mike.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide