Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Client VPN to PIX7 - DMZ access problem

Hi All,

I have a basic problem using VPN access. VPN succeed but access is allowed only to interal LAN (Inside interface). I want to retrict a specific user to access only specefic network (DMZ inerface).

I create the VPN using ASDM.

Regards,

Ofir.

6 REPLIES
Gold

Re: Client VPN to PIX7 - DMZ access problem

firstly, to allow remote vpn access to other subnets. no-nat acl and crypto acl need to be configured.

next, vpn filter might be applied on individual user in order to retrict access after the vpn is established.

please excuse me for not able to provide configuration example as i don't use asdm. nonetheless, i may be able to provide further assistance assuming you are willing to play with the cli.

New Member

Re: Client VPN to PIX7 - DMZ access problem

Thanks for your response!

I need the VPN user to access only to a specific subnet (DMZ interface: 192.168.100.0 /24). Do I must restrics access using VPN filter?

My CLI definitions are:

tunnel-group test type ipsec-ra

tunnel-group test general-attributes

address-pool pool8

tunnel-group test ipsec-attributes

pre-shared-key test

access-list outside_cryptomap_dyn_120 extended permit ip 192.168.100.0 255.255.255.0 host 10.10.2.1

crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120

crypto dynamic-map outside_dyn_map 120 set transform-set ESP-DES-SHA

crypto dynamic-map outside_dyn_map 120 set security-association lifetime seconds 28800 kilobytes 4608000

no crypto dynamic-map outside_dyn_map 120 set nat-t-disable

no crypto dynamic-map outside_dyn_map 120 set reverse-route

crypto map outside_map interface outside

sysopt connection permit-ipsec

my pool is 10.10.2.1 - 10.10.2.1 (one address).

The problem is I can't get 192.168.100.0 (directly connected network) while I'm getting access to local LAN (Inside) network..

Silver

Re: Client VPN to PIX7 - DMZ access problem

Is any split tunneling configured on the VPN ? How about the permissions in the access-lists to reach from the VPN pool to the DMZ segment ?

Gold

Re: Client VPN to PIX7 - DMZ access problem

a group policy needs to be configured for split tunneling.

e.g.

access-list outside_cryptomap_dyn_120 extended permit ip 192.168.100.0 255.255.255.0 host 10.10.2.1

group-policy remote_vpn internal

group-policy remote_vpn attributes

vpn-idle-timeout 20

split-tunnel-policy tunnelspecified

split-tunnel-network-list value outside_cryptomap_dyn_120

tunnel-group test type ipsec-ra

tunnel-group test general-attributes

address-pool pool8

default-group-policy remote_vpn

tunnel-group test ipsec-attributes

pre-shared-key test

New Member

Re: Client VPN to PIX7 - DMZ access problem

Thanks for your help!

I'm able o establish the VPN connection and to reach the netwotk. The only problem is that both DMZ ( 192.168.100.0) and local LAN (Inside) are reachable...

I defined an access list (outside interface) that restrict access only from 10.10.2.1 to 192.168.0.0 /16 and added a group policy filter that does the same but I still access inside network.

Any tips are more than wellcome.

New Member

Re: Client VPN to PIX7 - DMZ access problem

I think that the "sysopt connection permit-ipsec "

statement means that your IPSEC traffic will not have

any interface ACLs applied to it. So in order for the restrictions configured in your outside acl to be

applied you must remove this command. I'm still in

the process of learning how all this works, so take

my advice with a grain of salt....

Peter

123
Views
0
Helpful
6
Replies