Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Limit RDP for VPN Clients

When I give split-tunnel-network-list value nonat the Remote Access VPN work fine

But I have to block Remote Desktop access to Servers, 10.2.1.10, 10.2.1.12 & 10.2.1.13 (Only RDP to be blocked).

For the rest of the servers 10.2.1.20, 10.2.1.21, 10.2.1.22 & 10.2.1.25 users should have full access. When I apply split-tunnel-network-list value erpacl, the traffic is blocked. Seems to be an access-list issue.

Should I use vpn-filter value erpacl ??

Thanks in advance

access-list nonat extended permit ip host 10.1.2.20 172.28.10.0 255.255.255.0
access-list nonat extended permit ip host 10.1.2.21 172.28.10.0 255.255.255.0
access-list nonat extended permit ip host 10.1.2.22 172.28.10.0 255.255.255.0
access-list nonat extended permit ip host 10.1.2.25 172.28.10.0 255.255.255.0
access-list nonat extended permit tcp host 10.1.2.10 172.28.10.0 255.255.255.0
access-list nonat extended permit tcp host 10.1.2.12 172.28.10.0 255.255.255.0
access-list nonat extended permit tcp host 10.1.2.13 172.28.10.0 255.255.255.0
access-list erpacl extended permit ip host 10.1.2.20 172.28.10.0 255.255.255.0
access-list erpacl extended permit ip host 10.1.2.21 172.28.10.0 255.255.255.0
access-list erpacl extended permit ip host 10.1.2.22 172.28.10.0 255.255.255.0
access-list erpacl extended permit ip host 10.1.2.25 172.28.10.0 255.255.255.0
access-list erpacl extended deny tcp host 10.1.2.10 172.28.10.0 255.255.255.0 eq 3389
access-list erpacl extended deny tcp host 10.1.2.12 172.28.10.0 255.255.255.0 eq 3389
access-list erpacl extended deny tcp host 10.1.2.13 172.28.10.0 255.255.255.0 eq 3389
!
ip local pool erppool 172.28.10.1-172.28.10.10 mask 255.255.255.0
!
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
!
group-policy erpvpn internal
group-policy erpvpn attributes
dns-server value 10.1.2.10
vpn-simultaneous-logins 100
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value erpacl
default-domain value npsintl.com
!
tunnel-group ERP-VPN type ipsec-ra
tunnel-group ERP-VPN general-attributes
address-pool erppool
default-group-policy erpvpn
tunnel-group ERP-VPN ipsec-attributes
pre-shared-key *

370
Views
0
Helpful
0
Replies