Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

CISCO RV180 - Limited VPN Access

Hello!

I'm using CISCO Router RV180 for incoming VPN connections. I just learned how to do it, I did all the settings and it is working now. However I have noticed that users who connect through thier VPN Clients can see the whole internal network. Can those be limited to only certain local IPs?

For example my local network is 10.x.x.x. I have CISCO Router Web Interface avaliable to login at 10.x.x.1 and the Web Server I want users to access is on 10.x.x.2. Can I forbid acceess for VPN users who connect through the CISCO IP so this 10.x.x.1 address avalable for local users only?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Gold

CISCO RV180 - Limited VPN Access

Slava,

What I meant by my statement is that with PPTP you will give the users access to the entire network. With Port Forwarding the users only have access to the server that is listening on port 443. Since port 443 uses https, it is a secure connection.

If your users have Windows 7 or below, you may wish to try QuickVPN. You only have to enable Remote Management on port 443 or 60443 and add users. (No IKE Policy is needed as the router will listen for QuickVPN connections automatically) With QuickVPN the end users will have access to everything on VLAN 1, so you may want to create another VLAN for devices that you don't want them to have access to.

If you use a third party VPN client such as Shrewsoft (Windows) or IPSecuritas (Mac), you should be able to restrict access only to the server. (You will need to create an IKE and VPN Policy)

- Marty

11 REPLIES
Gold

CISCO RV180 - Limited VPN Access

Slava,

You cannot restrict VPN users, they will have access to the entire LAN. There is possbly a workaround. You could place the server alone on VLAN 1 and the rest of your devices on VLAN 2. Allow Inter-VLAN routing for your local devices to access the server but the VPN user will not be able to reach VLAN 2.

- Marty

New Member

CISCO RV180 - Limited VPN Access

Hi, Marty,

Thank you for your answer. Do you know if I can do that by RV180 means or I would need an additional equipment?

Gold

CISCO RV180 - Limited VPN Access

Slava,

I'm assuming that you are using QuickVPN for remote access.

You can do it on the RV180:

Connect the server to port 1 on the router. That port is VLAN 1 Untagged by default.

Under Networking-> VLAN Membership, Add Row.

VLAN ID: 2

Description: VLAN 2 (Or whatever you like)

Inter VLAN Routing: Enabled

Device Management: Enabled?

Port 1: Tagged

Port 2: Untagged

Port 3: Untagged

Port 4: Untagged

Under Networking-> Multiple VLAN Subnets, select your new VLAN 2 and Edit.

IP Address: 192.168.2.1 (Example)

Subnet Mask: 255.255.255.0


DHCP Mode: DHCP Server (If you want the router to do DHCP)

Starting IP Address: 192.168.2.100

Ending IP Address: 192.168.2.254

Connect all of your VLAN 2 devices to ports 2-4. They should be able to reach the server on VLAN 1 but cannot be reached from the VPN users.

- Marty




New Member

CISCO RV180 - Limited VPN Access

Dear Marty, thank you for the detailed instructions. This is a good thing to know. I have tried this out and then realized that it probably not exactly what I need, or I missed something from your write-up.

I have the webserver connected to Port 1 and I manage the CISCO Router from that webserver. The CISCO Router has IP address 10.10.10.1 and the webserver is 10.10.10.2. There are no other devices connected to the router. The webserver has additional network interfaces and all local devices are connected through that.

Till now I had port 443 forwarded by the CISCO routed to the webserver for external connections. But a security consultant adviced to switch the external clients from HTTPS to VPN (still leaving HTTPS though). That's I'm working on right now. I was adviced to use L2TP but I didn't find how I can set it up on the Router (though the manual says it should be there) so I made PPTP for now. I did that by adding IKE Policy and a VPN user (don't know if anything else is needed but it seems working fine).

When I try to connect from outside by a VPN Client which is WIn 7 (creating VPN network feature) the VPN network gets created and I can go to 10.10.10.2 to see the webserver. But I also can go to 10.10.10.1 and see the CISCO Router login page. The last one I'm trying to hide if possible. Also I didn't figure out yet if such VPN users can use other ports or it is still only 443 allowed for them. Ideally I want VPN users login and see only the webserver and only on 443 port. Not sure if that is possible.

Gold

CISCO RV180 - Limited VPN Access

Slava,

The RV180 does not have an L2TP server. It does however allow passthrough to an L2TP server on the LAN.

You do not need an IKE policy for PPTP. IKE is for IPSec VPN connections only. For PPTP, you only need to create a DHCP scope and add a user.

Once the user is connected they will have full access to the server. You cannot limit the PPTP users in the RV180 to allow only access to specific ports on the server. To do that you will need a firewall installed on the server that can block all access except for https.

If you need the router to only allow access on port 443, Port Forwarding is a better option than PPTP. Do you have only a few users that need to access the server and you are trying to block the rest of the internet?

- Marty

New Member

CISCO RV180 - Limited VPN Access

Hello Marty,

Actually you are right, that's what I need. My webserver is written on PHP and while I took all the measures I know to prevent all the hacker attacks such as Cross-Site Scripting, SQL injsections or Brute Force I heard there could be vulnerables in PHP itself. So I'm trying to limit the access down to certain users, those are about 20-30 users from different cities. For a big remote office of 15 people I just have bought another RV180 which I will set up at their end and make VPN (using IPSec, I guess). For the single users scattered all over different cities I probably would need something else.

I thought PPTP is a good solution for that but doing this I open access to manage my cisco router. If someone would find a password to PPTP connection they could go further and access the router. I don't have that when I'm using just HTTPs through RV180 which acts as a firewall forwarding Port 443 only. I'm not sure which one is better.

I also just realized that PPTP is not encryption, it it just a tunnel, should I use IPSec instead then?

Gold

CISCO RV180 - Limited VPN Access

Slava,

IPSec is considered much more secure than PPTP.

- Marty

New Member

CISCO RV180 - Limited VPN Access

Ok, get it. So then I create IKE policy for IPSec, create users and go. Another option is to leave as it is now i.e. forwarding 443 port to LAN only. I have to choose myself I guess.

Did you want to suggest something on that:

If you need the router to only allow access on port 443, Port Forwarding is a better option than PPTP. Do you have only a few users that need to access the server and you are trying to block the rest of the internet?

Gold

CISCO RV180 - Limited VPN Access

Slava,

What I meant by my statement is that with PPTP you will give the users access to the entire network. With Port Forwarding the users only have access to the server that is listening on port 443. Since port 443 uses https, it is a secure connection.

If your users have Windows 7 or below, you may wish to try QuickVPN. You only have to enable Remote Management on port 443 or 60443 and add users. (No IKE Policy is needed as the router will listen for QuickVPN connections automatically) With QuickVPN the end users will have access to everything on VLAN 1, so you may want to create another VLAN for devices that you don't want them to have access to.

If you use a third party VPN client such as Shrewsoft (Windows) or IPSecuritas (Mac), you should be able to restrict access only to the server. (You will need to create an IKE and VPN Policy)

- Marty

New Member

CISCO RV180 - Limited VPN Access

Thank you very much. In this case wouldn't be better a following scheme: usual users keeps getting connected through https with no VPN set up and administrator uses VPN for remote access inside of the network for any settings etc.?

Gold

CISCO RV180 - Limited VPN Access

Slava,

It is difficult to answer this question without more information. In general I would say that it is best to use https if that is the only service that the users need access to. You will of course want VPN access to everything on the LAN for management purposes.

- Marty

1523
Views
15
Helpful
11
Replies
CreatePlease login to create content