01-24-2006 08:08 AM
Ive attached a network diagram that illustrates our current network setup. We have a server at our location running web services that are integrated with an application running on that server. Since its connected to our LAN, its only accessible to clients on the inside or clients using VPN. What Im trying to do is develop a way to allow certain VPN clients access to only that web server and no other network resources. The problem, for me anyway, is that the http server is a hop away from our Internet connection and VPN concentrator, as you can see on the attached map. I can create a separate VPN group and give it a unique network via DHCP so I can restrict that network using an ACL, but am not sure where to place that ACL. The concentrators public interface is directly connected to the Internet, and its private connected directly to the LAN, a switch that is then connected to a router. Not the ideal setup, but I didnt set it up . So if a VPN client comes in, hes immediately passed to the LAN, a switch, in Atlanta, 10.1.1.0, and from there is sent to the router, 10.1.1.1, which is connected to a frame-relay network that leads to my router and LAN with my http server. What would it take to get this to work?
Thank you,
Bill
Solved! Go to Solution.
01-24-2006 02:36 PM
a filter can be configured on the concentrator in order to restrict the remote vpn access.
1. create a rule. go configuration | policy management | traffic management | rules
2. create a filter and assign the rule created to the filter. go configuration | policy management | traffic management | filters
3. apply the filter to the group. go configuration | user management | groups | modify
01-24-2006 11:16 AM
Bill,
Have you thought about doing the filtering on the Cat 3500?
Looking at your diagram that's the most effective place you can filter this traffic.
You could filter on the 10.1.0.0 LAN default gateway port but I'm sure this would be awkward to get working as this could be defeated by a device on that network running Proxy ARP.
This link should help, its the relevant part of the Cat 3550 configuration guide.
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/scg/swacl.htm
Andy
01-24-2006 02:36 PM
a filter can be configured on the concentrator in order to restrict the remote vpn access.
1. create a rule. go configuration | policy management | traffic management | rules
2. create a filter and assign the rule created to the filter. go configuration | policy management | traffic management | filters
3. apply the filter to the group. go configuration | user management | groups | modify
01-26-2006 05:06 AM
that worked great, thank you.
02-07-2006 12:31 PM
i have been trying to restrict the vpn access traffice using the rules of the vpn concentrator, but i am unable to restrict the address.If i permit port 80 then all the web services will be accessiable.
is there any way I can restrict access to specified hosts and spefic ports.
02-07-2006 02:57 PM
follow my previous post, except when applying the filter, go configuration | user management | users | general
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide