Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

restrict VPN access

Hi,

Hope you can help. I need to allow a user access to one host on my LAN and only RDP access. I have a Cisco 2801 with IOS 12.4. VPN is working great for other users.

Is there a command that i can apply to a crytpo map or the likes to restrict certain traffic from indivduals.

Many Thanks

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
11 REPLIES

Re: restrict VPN access

You've not indicated whether you are referring to a site-to-site VPN, or RAVPN.

In either case, the inbound interface ACL applied to your router's external interface would be configured with an ACE(s) specifying the encapsulated IP addresses (source and destination) to be permitted. You could specify your higher layer criteria (RDP) here.

Site-to-Site:

Hopefully, the specific user/host has a persistent fixed IP. If there were ACEs specifying other far-side source addresses with access to other local resources, you wouldn't want that user/host matching those ACEs.

RAVPN:

You could specify a unique "isakmp client configuration group" for the user, with a unique IP pool of one address. This would ensure that the interface ACL (configured for the same address) enforced policy as intended.

Generally, its a bad idea to specify upper-layer criteria (e.g.: RDP) in crypto ACLs, or split-tunneling ACLs.

Re: restrict VPN access

Hi Michael,

Thanks for getting back. Sorry, it is a RAVPN. and i think i've created a good config for this.

!

!

crypto isakmp client configuration group GROUP

key PASS

dns 192.168.15.10

wins 192.168.15.10

domain domain.local

pool POOL

!

ip local pool POOL 192.168.51.1 192.168.51.6

!

!

access-list 103 permit tcp 192.168.51.0 0.0.0.7 eq 3389 192.168.15.12 0.0.0.0 eq 3389 log

access-list 103 deny ip 192.168.51.0 0.0.0.7 192.168.15.0 0.0.0.255 log

access-list 103 permit ip any any

!

int fa0/0

ip access-group 103 out

!

What do you think?

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Re: restrict VPN access

apply it in inbound direction on the outside interface better and less CPU intensive

Re: restrict VPN access

will the outside interface still see the traffic coming from the tunnel??

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Re: restrict VPN access

it will terminate on that interface

sure will see it

and as the person above mentioned u can make another pool with another group name and make more restrection on that group

if u need more help let me know

try the ACL too,

good luck

Re: restrict VPN access

You've not indicated whether int fa0/0 is an internal or external interface.

I'll asume that it is an "internal" interface given that you have defined the RAVPN Client addresses as the source, and the ACL has been applied "outbound".

If fa0/0 is not the internal interface, then you have applied it incorrectly.

I prefer to permit or deny connection initiation on the ingress interface. In this case that would mean applying the ACL inbound on the external interface.

From a security standpoint, it is preferable to not use "permit ip any any" at the end of your interface ACLs. It is preferable to construct your interface ACLs to only allow traffic permitted by your security policy. Anything not permitted by your security policy should be denied with "deny ip any any log" at the end of your interface ACLs. You might want to transition to this methodology in future implementations.

Are you sure you want to log every RDP packet?

Your initial post indicated that you needed to allow "a user" restricted access, so I'm not sure why you are defining a pool of multiple addresses for this "isakmp client configuration group". Are you applying the RDP restriction to one user, many, or all?

It is not clear to me whether this is to be a supplemental configuration group with restricted access, or whether this is to be the one and only configuration group.

Although I have not explored this method, I believe the access restriction could be implemented with an ACL applied to the dynamic crypto map rather than with ACEs within the interface ACL applied to the external interface. I'm not trying to get you to change your existing approach, just making light of an alternative for future reference.

e.g.:

crypto dynamic-map ravpn-map 10

set ip access-group 120 in

set transform-set xfm-3des

set isakmp-profile psk-prof-1

reverse-route

Re: restrict VPN access

but with ACL(ACEs) and aaplied to the right interface with right direction will work too!!

so for the requred restrection better for to make a separate group with separate pool and make more restrection on the new pool regardless this pool will conatin one address or more it will be considered the restricted pool

with ASA we could achive the restrction on the user level himself which is easier and better

if helpful rate

Re: restrict VPN access

My recommendation was (and remains) to use multiple groups, each with its own pool, and restrictions via the interface ACL.

If (in the future) he was to explore the application of ACLs in the dynamic crypto map, there would be multiple sections in the crypto map, each pointing to different profiles, which in turn point to different groups.

Re: restrict VPN access

Ok Guys.

Thanks very much for all your advice. I will look into some of your suggestions at a later stage. Paticularly about applying the ACL to the Dynamic Crypto map.

For now i have carried out the exact config as above. The Fa0/0 is the inside interface. The pool is a separate pool. The crypto map is it's own separate crypto map. ALso, i have given a few IPs in the pool, beacuse i remeber reading somewhere on this forum, that if only one IP is applied, then if the user disconnects and reconnects the IP may not free from the pool quick enough. Leaving the users waiting to get back in.

Thanks for all help on this one.

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

Re: restrict VPN access

all good

only the crypto map

u should have only one map for all ur groups

good luck

Re: restrict VPN access

Sorry man, I have only one crypto. Many groups. One group for regular users, one for the restricted user and one for site-to-site.

Cheers

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
160
Views
0
Helpful
11
Replies