Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restricting access of remote users to internal network

Hi to All,

I have just purchased Cisco PIX 506E Firewall.

We have approx. 30 workstations with static IP's on internal LAN. They all have RAdmin software installed.

I also created an user account on PIX for remote access for one of ours employee. He accesses the PIX by Cisco VPN Client and internal LAN by RAdmin software by typeing static (internal) IP of the workstation. I guess that employee can access ALL internal workstations just by typeing certain IP address.

My question is how to define amployees's access to just one, certain workstation? All other workstations should be unaccessible to this remote user.

Thank you for your help.

Branko

4 REPLIES

Re: Restricting access of remote users to internal network

Branko,

You can restrict this on the NONAT access-list configured by you on the PIX.

For example, if the IP pool on the PIX is 192.168.1.1-1.254 and if the user has to access an internal LAN IP 10.100.100.1, then you need to give the following ACL:

access-list 101 permit ip host 10.100.100.1 192.168.1.0 255.255.255.0

nat (inside) 0 access-list 101

and the other crypto commands.....

This will restrict the users connecting on the 192.168.1.0 pool to have access only to 10.100.100.1 IP address

Hope this helps.. rate replies if found useful...

Raj

Gold

Re: Restricting access of remote users to internal network

disable the command "sysopt connection permit-ipsec", create an inbound acl for remote vpn access.

e.g.

no sysopt connection permit-ipsec

access-list remote_vpn permit tcp host eq

access-group remote_vpn in interface outside

with the sample above, you can restrict the remote vpn access down to a particular workstation with a paricular protocol/port.

the catch is that if the pix has other lan-lan vpn, you need to include those subnets as part of the inbound acl.

New Member

Re: Restricting access of remote users to internal network

Sorry for delay. Thank you both for your advices.

Branko.

Gold

Re: Restricting access of remote users to internal network

so how are you going with the codes?

131
Views
0
Helpful
4
Replies
CreatePlease login to create content