Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN and LAN access

I want to allow certain users to connect to my comncentrator, but then only allow them to have access to a single server on the LAN side.

Please help.


Re: VPN and LAN access

Hi .. you need to follow some steps

1.- create a subnet list and add the IP you need access to

Configuration | Policy Management | Traffic Management | Network Lists

2.- create a group for remote access

Configuration | User Management | Groups

3.- Within the group select the tab 'Client Config' select the option 'Only tunnel networks in the list'

and select the list you created on step 1.

This will allow a remote user connect to one only host by using VPN client.

I hope it helps ...please rate it if it does !!!

New Member

Re: VPN and LAN access

The above instructions work. How do you allow the users to terminal service to a server and then only allow them to access that server? Thanks.

Re: VPN and LAN access

Hi ... If I understood correctly ... you want to allow access to one server only for your remote users .. this can be done by controlling the access at the VPN concentrator as per my previous post.

If you initiate another session from the above server to lets say another server by using Remote desktop .. then the VPN concentrator can do nothing about it as the traffic does not traverse it. The same applies to any device terminating the VPN connection. to restrict further connection you need to implement some kind of HIPS ( Host intrution prevention system such as CSA ) on the desktops and servers to control that type of connections.

I hope it helps ... please rate it if it does !!!

New Member

Re: VPN and LAN access

Thanks for your prompt response and information, Fernando.

Sorry for not making my questions clear. I want to allow the terminal service (remote desktop) to this server after the users login to VPN Concentrator, not terminal service to another server from this server. By using the instructions from the previous post, the users can't terminal service (Remote Desktop, etc. ) to this server after they login to VPN Concentrator, but can access everything on this server. I would like to allow the users to terminal service to one server AFTER they login to VPN. Then, I only allow them to access this server after they terminal service to this server. Please let me know if I have not explained myself clearly.



New Member

Re: VPN and LAN access

You can exclude split tunnel, that create Access list that will be aplied on tunnel traffic.

CreatePlease login to create content