Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
554
Views
0
Helpful
1
Replies

Allowing of Specific Public IP through IPSEC VPN

fmatrine
Level 1
Level 1

‎03-15-2004 09:07 AM - edited ‎02-21-2020 01:04 PM

Dear Sir,

We have a Central office which acts as a HUB location for all the database access from remote locations.

At cenral location we have a internet connectivity using cisco 2610 router we also have cisco pix firewall deployed for for security purpose.

We have configured VPN on the firewall for remote access clients who want to access central site lan with secured vpn tunnel.

New requirement is to allow the VPN from specific Public IP only and block the rest of world (Public IP).we have more than 4 remote sites who using fixed public IP will via VPN to central site for accessing LAN.

Pls advice with sample config for the above scenario.

PIX config related to VPN is as listed below.

!--- Access list to avoid Network Address Translation (NAT)

!--- on the IPSec packets

access-list 101 permit ip 192.168.48.0 255.255.255.0 10.1.2.0 255.255.255.0

!--- IP addresses on the interfaces

ip address outside 239.14.9.2 255.255.255.240

ip address inside 192.168.128.1 255.255.255.252

ip address dmz 192.168.98.2 255.255.255.224

ip local pool vpnpool 10.1.2.1-10.1.2.10

!--- Binding ACL 101 to the NAT statement to avoid NAT

!--- on the IPSec packets

nat (inside) 0 access-list 101

!--- Default route to the Internet

route outside 0.0.0.0 0.0.0.0 239.14.9.1 1

!--- The sysopt command avoids conduit

!--- on the IPSec encrypted traffic

sysopt connection permit-ipsec

no sysopt route dnat

!

!--- Phase 2 encryption type

crypto ipsec transform-set myset esp-des esp-md5-hmac

crypto dynamic-map dynmap 10 set transform-set myset

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

!--- Binding the IPSec engine on the outside interface

crypto map mymap interface outside

!

!--- Enabling Internet Security Association and

!--- Key Management Protocol (ISAKMP) key exchange

isakmp enable outside

isakmp identity address

!--- ISAKMP policy for VPN Client running 3.x or 4.x code

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

!--- IPSec group configuration for either VPN Client

vpngroup test address-pool vpnpool

vpngroup test default-domain test.co.in

vpngroup test idle-time 1800

vpngroup test password test123

!--- To allow simultaneous access to the

!--- internal network and to the Internet

vpngroup vpn3000 split-tunnel 101

Pls advice with sample config for the above scenario

Thanks & Regards

Deepak

Labels:
0 Helpful
1 Reply 1

amritpatek
Level 6
Level 6

‎03-19-2004 11:37 AM

I am not quite clear on what exactly is needed here. Do you want the VPN to connection to your central site only from fixed IP addresses? If yes, then will you block all the VPN connections from the clients from other addresses? I think the access-list commands that are used in the crypto map needs to be modified.

Experts out there, can anybody say more on this.

Thanks.

0 Helpful
Customers Also Viewed These Support Documents