Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need to restrict internet access of users by using ezvpn

Hi,

I'm using EZVPN and having a issue. I want to restrict the internet access of LAN users on spoke side. Our ISP have given us some public IPs so any traffic should go first to these IPs. I have mentioned those public IP with their port number in NAT statement but still users have open internet access.

Now my question is

after putting the access-list on spoke side do i need to restart router once????????

because in case of ezvpn i have experienced one thing that if we put any changes on HUB devices then it'll only effect on spoke untill or unless we restart the spoke device

below i have mentioned the configurations of HUB and spoke

HUB = ASA5520

Spoke = cisco877 router

ASA5520:-

access-list inside_access_in extended permit ip 10.6.14.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.6.14.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list Outside_cryptomap_dyn_430 extended permit ip any 192.168.1.0 255.255.255.0

access-list splittunnelacl_Alqouz_warehouse extended permit ip 10.6.14.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list splittunnelacl_Alqouz_warehouse extended permit ip 10.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0

ip local pool alquoz 192.168.1.1-192.168.1.254 mask 255.255.255.0

group-policy ALQUOZ internal

group-policy ALQUOZ attributes

wins-server value 192.xx.xx.xx 192.xx.xx.xx

dns-server value 192.xx.xx.xx 192.xx.xx.xx

vpn-access-hours none

vpn-simultaneous-logins 20

vpn-idle-timeout none

vpn-session-timeout none

vpn-tunnel-protocol IPSec

ip-comp disable

re-xauth disable

pfs enable

ipsec-udp disable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnelacl_Alqouz_warehouse

default-domain value jashanmal.org

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout none

ip-phone-bypass disable

leap-bypass disable

nem enable

tunnel-group ALQUOZ type remote-access

tunnel-group ALQUOZ general-attributes

address-pool alquoz

default-group-policy ALQUOZ

Router cisco877:-

Current configuration : 3376 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname *****

!

boot-start-marker

boot system flash:c870-advipservicesk9-mz.124-11.T.bin

boot-end-marker

!

no logging console

enable secret xxxxxxxxxxxxxxx

!

no aaa new-model

ip cef

!

ip dhcp excluded-address 192.168.1.1 192.168.1.10

ip dhcp excluded-address 192.168.1.21

ip dhcp excluded-address 192.168.1.140 192.168.1.151

ip dhcp excluded-address 192.168.1.12

ip dhcp excluded-address 192.168.1.62

ip dhcp excluded-address 192.168.1.250

!

ip dhcp pool mypool

   import all

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   option 150 ip 10.xx.xx.xx 10.xx.xx.xx

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

!

crypto ipsec client ezvpn jashanvpn

connect auto

group ALQUOZ key xxxxxxxxxx

mode network-extension

peer 83.xx.xx.xx

xauth userid mode interactive

!

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

no snmp trap link-status

pvc 0/50

  encapsulation aal5snap

  protocol ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

description -----CONNECTED WITH ONT------

switchport access vlan 2

!

interface FastEthernet3

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

crypto ipsec client ezvpn jashanvpn inside

!

interface Vlan2

description -----connected to internet----

no ip address

ip nat outside

ip virtual-reassembly

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Dialer0

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxx

ppp chap password xxxxxx

ppp pap sent-username xxxxxx password xxxxxxxxx

crypto ipsec client ezvpn jashanvpn

!

interface Dialer1

no ip address

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

no ip http server

no ip http secure-server

ip dns view ezvpn-internal-view

domain name-server  10.xx.xx.xx

domain name-server  10.xx.xx.xx

ip nat inside source route-map nonat interface Dialer0 overload

!

access-list 110 deny   ip 192.168.1.0 0.0.0.255 10.6.14.0 0.0.0.255

access-list 110 deny   ip 192.168.1.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 110 permit tcp 192.168.146.0 0.0.0.255 host 86.xx.xx.xx eq 10008      <=====   Public IPs given by ISP

access-list 110 permit tcp 192.168.146.0 0.0.0.255 host 86.xx.xx.xx eq 10008

access-list 110 permit tcp 192.168.146.0 0.0.0.255 host 216.xx.xx.xx eq www

access-list 110 permit tcp 192.168.146.0 0.0.0.255 host 199.xx.xx.xx eq www

access-list 110 permit tcp 192.168.146.0 0.0.0.255 host 199.xx.xx.xx eq www

access-list 110 permit tcp 192.168.146.0 0.0.0.255 host 199.xx.xx.xx eq www

access-list 110 permit tcp 192.168.146.0 0.0.0.255 host 199.xx.xx.xx eq www

dialer-list 1 protocol ip permit

snmp-server community xxxx RO

snmp-server location -------ALQUOZ WH----

snmp-server enable traps tty

snmp-server enable traps cpu threshold

snmp-server enable traps syslog

snmp-server host 10.xx.xx.xx version 2c jash

!

!

!

route-map nonat permit 10

match ip address 110

!

!

control-plane

!

!

line con 0

password xxxxxxxxxx

login

no modem enable

line aux 0

line vty 0 4

password xxxxxxxxxx

login

!

scheduler max-task-time 5000

end

318
Views
0
Helpful
0
Replies
CreatePlease login to create content