Hope you can help. I need to allow a user access to one host on my LAN and only RDP access. I have a Cisco 2801 with IOS 12.4. VPN is working great for other users.
Is there a command that i can apply to a crytpo map or the likes to restrict certain traffic from indivduals.
You've not indicated whether you are referring to a site-to-site VPN, or RAVPN.
In either case, the inbound interface ACL applied to your router's external interface would be configured with an ACE(s) specifying the encapsulated IP addresses (source and destination) to be permitted. You could specify your higher layer criteria (RDP) here.
Hopefully, the specific user/host has a persistent fixed IP. If there were ACEs specifying other far-side source addresses with access to other local resources, you wouldn't want that user/host matching those ACEs.
You could specify a unique "isakmp client configuration group" for the user, with a unique IP pool of one address. This would ensure that the interface ACL (configured for the same address) enforced policy as intended.
Generally, its a bad idea to specify upper-layer criteria (e.g.: RDP) in crypto ACLs, or split-tunneling ACLs.
Thanks for getting back. Sorry, it is a RAVPN. and i think i've created a good config for this.
crypto isakmp client configuration group GROUP
ip local pool POOL 192.168.51.1 192.168.51.6
access-list 103 permit tcp 192.168.51.0 0.0.0.7 eq 3389 192.168.15.12 0.0.0.0 eq 3389 log
access-list 103 deny ip 192.168.51.0 0.0.0.7 192.168.15.0 0.0.0.255 log
access-list 103 permit ip any any
ip access-group 103 out
What do you think?
will the outside interface still see the traffic coming from the tunnel??
it will terminate on that interface
sure will see it
and as the person above mentioned u can make another pool with another group name and make more restrection on that group
if u need more help let me know
try the ACL too,
You've not indicated whether int fa0/0 is an internal or external interface.
I'll asume that it is an "internal" interface given that you have defined the RAVPN Client addresses as the source, and the ACL has been applied "outbound".
If fa0/0 is not the internal interface, then you have applied it incorrectly.
I prefer to permit or deny connection initiation on the ingress interface. In this case that would mean applying the ACL inbound on the external interface.
From a security standpoint, it is preferable to not use "permit ip any any" at the end of your interface ACLs. It is preferable to construct your interface ACLs to only allow traffic permitted by your security policy. Anything not permitted by your security policy should be denied with "deny ip any any log" at the end of your interface ACLs. You might want to transition to this methodology in future implementations.
Are you sure you want to log every RDP packet?
Your initial post indicated that you needed to allow "a user" restricted access, so I'm not sure why you are defining a pool of multiple addresses for this "isakmp client configuration group". Are you applying the RDP restriction to one user, many, or all?
It is not clear to me whether this is to be a supplemental configuration group with restricted access, or whether this is to be the one and only configuration group.
Although I have not explored this method, I believe the access restriction could be implemented with an ACL applied to the dynamic crypto map rather than with ACEs within the interface ACL applied to the external interface. I'm not trying to get you to change your existing approach, just making light of an alternative for future reference.
crypto dynamic-map ravpn-map 10
set ip access-group 120 in
set transform-set xfm-3des
set isakmp-profile psk-prof-1
but with ACL(ACEs) and aaplied to the right interface with right direction will work too!!
so for the requred restrection better for to make a separate group with separate pool and make more restrection on the new pool regardless this pool will conatin one address or more it will be considered the restricted pool
with ASA we could achive the restrction on the user level himself which is easier and better
if helpful rate
My recommendation was (and remains) to use multiple groups, each with its own pool, and restrictions via the interface ACL.
If (in the future) he was to explore the application of ACLs in the dynamic crypto map, there would be multiple sections in the crypto map, each pointing to different profiles, which in turn point to different groups.
Thanks very much for all your advice. I will look into some of your suggestions at a later stage. Paticularly about applying the ACL to the Dynamic Crypto map.
For now i have carried out the exact config as above. The Fa0/0 is the inside interface. The pool is a separate pool. The crypto map is it's own separate crypto map. ALso, i have given a few IPs in the pool, beacuse i remeber reading somewhere on this forum, that if only one IP is applied, then if the user disconnects and reconnects the IP may not free from the pool quick enough. Leaving the users waiting to get back in.
Thanks for all help on this one.
Sorry man, I have only one crypto. Many groups. One group for regular users, one for the restricted user and one for site-to-site.