11-07-2005 10:15 AM - edited 02-21-2020 02:05 PM
If we have two webservers ( add1, and add2 ) hosted on DMZ region. and we need to give access to only one webserver over remote VPN client (add1 )can we do it. Because when we configure remote VPN client using PDM. it never ask for any particular ip address where this configuration will be applied. It only asks which interface VPN client will interact with.
Solved! Go to Solution.
11-07-2005 03:12 PM
the pix current config should be similar to the one below:
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (dmz) 0 access-list 101
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp identity address
isakmp nat-traversal 20
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
ip local pool ippool 10.1.1.11-10.1.1.21
vpngroup vpnclient address-pool ippool
vpngroup vpnclient idle-time 1800
vpngroup vpnclient dns-server 139.130.4.4
vpngroup vpnclient password cisco456
vpngroup vpnclient split-tunnel 120
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap
username cisco password cisco123
aaa-server LOCAL protocol local
crypto map remote_vpn client authentication LOCAL
crypto map remote_vpn client configuration address initiate
crypto map remote_vpn client configuration address respond
if so, then you just need to modify acl 120, i.e. the split tunneling acl:
from
access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
to
access-list 120 permit ip host 192.168.1.100 10.1.1.0 255.255.255.0
by modifying the acl 120 as above, the remote vpn user will be permitted to host 192.168.1.100 only (all protocol/port).
alternatively, you may restrict the access down to protocol/port level. it requires you to disable the command "sysopt connection permit-ipsec", and then create an inbound acl. let me know if this is more preferred and i will provide you a configuration example.
another point should be noticed is that although the remote user can only access one server at the dmz, however, you should also restrict the access right on the server; as the remote vpn user may be able to access other private resources from the server.
11-07-2005 03:12 PM
the pix current config should be similar to the one below:
access-list 101 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
nat (dmz) 0 access-list 101
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp identity address
isakmp nat-traversal 20
crypto ipsec transform-set vpnset esp-3des esp-md5-hmac
ip local pool ippool 10.1.1.11-10.1.1.21
vpngroup vpnclient address-pool ippool
vpngroup vpnclient idle-time 1800
vpngroup vpnclient dns-server 139.130.4.4
vpngroup vpnclient password cisco456
vpngroup vpnclient split-tunnel 120
crypto dynamic-map dynmap 10 set transform-set vpnset
crypto map remote_vpn 20 ipsec-isakmp dynamic dynmap
username cisco password cisco123
aaa-server LOCAL protocol local
crypto map remote_vpn client authentication LOCAL
crypto map remote_vpn client configuration address initiate
crypto map remote_vpn client configuration address respond
if so, then you just need to modify acl 120, i.e. the split tunneling acl:
from
access-list 120 permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
to
access-list 120 permit ip host 192.168.1.100 10.1.1.0 255.255.255.0
by modifying the acl 120 as above, the remote vpn user will be permitted to host 192.168.1.100 only (all protocol/port).
alternatively, you may restrict the access down to protocol/port level. it requires you to disable the command "sysopt connection permit-ipsec", and then create an inbound acl. let me know if this is more preferred and i will provide you a configuration example.
another point should be noticed is that although the remote user can only access one server at the dmz, however, you should also restrict the access right on the server; as the remote vpn user may be able to access other private resources from the server.
10-11-2006 02:00 AM
I am looking to do a similar thing, except that I'd like to lock it down to a single TCP port. Will you please post a sample config as mentioned above?
Thx,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide