Solved: to give selective access by VPN.

bapatsubodh · ‎11-07-2005

If we have two webservers ( add1, and add2 ) hosted on DMZ region. and we need to give access to only one webserver over remote VPN client (add1 )can we do it. Because when we configure remote VPN client using PDM. it never ask for any particular ip address where this configuration will be applied. It only asks which interface VPN client will interact with.

jackko · ‎11-07-2005

the pix current config should be similar to the one below:

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (dmz) 0 access-list 101

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp identity address

isakmp nat-traversal 20

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

ip local pool ippool 10.1.1.11-10.1.1.21

vpngroup vpnclient address-pool ippool

vpngroup vpnclient idle-time 1800

vpngroup vpnclient dns-server 139.130.4.4

vpngroup vpnclient password cisco456

vpngroup vpnclient split-tunnel 120

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap

username cisco password cisco123

aaa-server LOCAL protocol local

crypto map remote_vpn client authentication LOCAL

crypto map remote_vpn client configuration address initiate

crypto map remote_vpn client configuration address respond

if so, then you just need to modify acl 120, i.e. the split tunneling acl:

from

access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

to

access-list 120 permit ip host 192.168.1.100 10.1.1.0 255.255.255.0

by modifying the acl 120 as above, the remote vpn user will be permitted to host 192.168.1.100 only (all protocol/port).

alternatively, you may restrict the access down to protocol/port level. it requires you to disable the command "sysopt connection permit-ipsec", and then create an inbound acl. let me know if this is more preferred and i will provide you a configuration example.

another point should be noticed is that although the remote user can only access one server at the dmz, however, you should also restrict the access right on the server; as the remote vpn user may be able to access other private resources from the server.

View solution in original post

jackko · ‎11-07-2005

the pix current config should be similar to the one below:

access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (dmz) 0 access-list 101

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

isakmp identity address

isakmp nat-traversal 20

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

ip local pool ippool 10.1.1.11-10.1.1.21

vpngroup vpnclient address-pool ippool

vpngroup vpnclient idle-time 1800

vpngroup vpnclient dns-server 139.130.4.4

vpngroup vpnclient password cisco456

vpngroup vpnclient split-tunnel 120

crypto dynamic-map dynmap 10 set transform-set vpnset

crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap

username cisco password cisco123

aaa-server LOCAL protocol local

crypto map remote_vpn client authentication LOCAL

crypto map remote_vpn client configuration address initiate

crypto map remote_vpn client configuration address respond

if so, then you just need to modify acl 120, i.e. the split tunneling acl:

from

access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

to

access-list 120 permit ip host 192.168.1.100 10.1.1.0 255.255.255.0

by modifying the acl 120 as above, the remote vpn user will be permitted to host 192.168.1.100 only (all protocol/port).

alternatively, you may restrict the access down to protocol/port level. it requires you to disable the command "sysopt connection permit-ipsec", and then create an inbound acl. let me know if this is more preferred and i will provide you a configuration example.

another point should be noticed is that although the remote user can only access one server at the dmz, however, you should also restrict the access right on the server; as the remote vpn user may be able to access other private resources from the server.

kevburgess · ‎10-11-2006

I am looking to do a similar thing, except that I'd like to lock it down to a single TCP port. Will you please post a sample config as mentioned above?

Thx,