Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
384
Views
0
Helpful
5
Replies

Restricting access for certain VPN clients

Go to solution
WILLIAM STEGMAN
Level 4
Level 4

‎01-24-2006 08:08 AM

I’ve attached a network diagram that illustrates our current network setup. We have a server at our location running web services that are integrated with an application running on that server. Since it’s connected to our LAN, it’s only accessible to clients on the inside or clients using VPN. What I’m trying to do is develop a way to allow certain VPN clients access to only that web server and no other network resources. The problem, for me anyway, is that the http server is a hop away from our Internet connection and VPN concentrator, as you can see on the attached map. I can create a separate VPN group and give it a unique network via DHCP so I can restrict that network using an ACL, but am not sure where to place that ACL. The concentrator’s public interface is directly connected to the Internet, and its private connected directly to the LAN, a switch that is then connected to a router. Not the ideal setup, but I didn’t set it up . So if a VPN client comes in, he’s immediately passed to the LAN, a switch, in Atlanta, 10.1.1.0, and from there is sent to the router, 10.1.1.1, which is connected to a frame-relay network that leads to my router and LAN with my http server. What would it take to get this to work?

Thank you,

Bill

Labels:
Preview file
281 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jackko
Level 7
Level 7

‎01-24-2006 02:36 PM

a filter can be configured on the concentrator in order to restrict the remote vpn access.

1. create a rule. go configuration | policy management | traffic management | rules

2. create a filter and assign the rule created to the filter. go configuration | policy management | traffic management | filters

3. apply the filter to the group. go configuration | user management | groups | modify | general

View solution in original post

0 Helpful
5 Replies 5

Go to solution
aacole
Level 5
Level 5

‎01-24-2006 11:16 AM

Bill,

Have you thought about doing the filtering on the Cat 3500?

Looking at your diagram that's the most effective place you can filter this traffic.

You could filter on the 10.1.0.0 LAN default gateway port but I'm sure this would be awkward to get working as this could be defeated by a device on that network running Proxy ARP.

This link should help, its the relevant part of the Cat 3550 configuration guide.

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/scg/swacl.htm

Andy

0 Helpful

Go to solution
jackko
Level 7
Level 7

‎01-24-2006 02:36 PM

a filter can be configured on the concentrator in order to restrict the remote vpn access.

1. create a rule. go configuration | policy management | traffic management | rules

2. create a filter and assign the rule created to the filter. go configuration | policy management | traffic management | filters

3. apply the filter to the group. go configuration | user management | groups | modify | general

0 Helpful

Go to solution
WILLIAM STEGMAN
Level 4
Level 4
In response to jackko

‎01-26-2006 05:06 AM

that worked great, thank you.

0 Helpful

Go to solution
jacob-thomas
Level 1
Level 1
In response to jackko

‎02-07-2006 12:31 PM

i have been trying to restrict the vpn access traffice using the rules of the vpn concentrator, but i am unable to restrict the address.If i permit port 80 then all the web services will be accessiable.

is there any way I can restrict access to specified hosts and spefic ports.

0 Helpful

Go to solution
jackko
Level 7
Level 7
In response to jacob-thomas

‎02-07-2006 02:57 PM

follow my previous post, except when applying the filter, go configuration | user management | users | general

0 Helpful
Customers Also Viewed These Support Documents