Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to limite VPN Groups access to the local LAN

Hi everyone ...

 

We have a VPN server created by CCP on cisco 2801 router, we have two VPN Groups VPN_1 and VPN_2.

 

VPN_1 users must be able  to access only 192.168.0.2 server 

and the VPN_2 users must be able to  access only 192.168.0.75 

 

------ ROUTER CONFIGURATION -----

//GROUPS:
crypto isakmp client configuration group VPN_1
 key xxxxxxxxxxxxx
 dns 192.168.0.x
 pool SDM_POOL_1
 acl 114
 include-local-lan
 max-users 10
 netmask 255.255.255.0
!

crypto isakmp client configuration group VPN_2
 key xxxxxxxxxxxxx
 dns 192.168.0.x
 pool SDM_POOL_1
 acl 115
 include-local-lan
 max-users 10
 netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1
   match identity group VPN_1
   match identity group VPN_2
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address initiate
   client configuration address respond
   virtual-template 1
!

 

//ACL:

access-list 114 remark vpn_1
access-list 114 permit ip any host  192.168.0.2

access-list 115 remark vpn_2
access-list 115 permit ip any host  192.168.0.75 

-----------------------end----------------------

 

But these config. does not work !!, all VPN users can access any host in my private LAN !!

Please help me to solve these issue 

 

 

Reg.

 

Everyone's tags (1)
3 REPLIES
VIP Purple

The ACLs (114 and 115) you

The ACLs (114 and 115) you are using are not ACLs that are used for filtering traffic. The logic of these ACLs are a little bit different. The "acl" keyword controls split-tunneling, which is the definition which traffic is sent through the tunnel. Everything that is not specified with a "permit" can be reached in cleartext. With that, only the defined traffic can be reached in the inside network. The definition of the traffic is configured from the viewpoint of the router. You have to specify the traffic that the router want's to see in the tunnel:

access-list 114 permit ip host 192.168.0.2 YOUR-IP-POOL
access-list 115 permit ip host 192.168.0.75 YOUR-IP-POOL

More on the EasyVPN-Server can be found in the config-guide:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_esyvpn/configuration/15-mt/sec-easy-vpn-15-mt-book/sec-easy-vpn-srvr.html


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

give me an example please 

give me an example please 

Hello, On this case Karsten

Hello,

 

On this case Karsten Iwen is right on this, though make sure also you have a NAT 0 statement to permit the traffic from the inside servers to the VPN client users.

 

Please Take a look to this configuration guide:

 

http://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html

 

Don't forge to rate this!

 

Regards,

 

David Castro,

 

216
Views
3
Helpful
3
Replies
CreatePlease to create content