Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Restricting access for certain VPN clients

I’ve attached a network diagram that illustrates our current network setup. We have a server at our location running web services that are integrated with an application running on that server. Since it’s connected to our LAN, it’s only accessible to clients on the inside or clients using VPN. What I’m trying to do is develop a way to allow certain VPN clients access to only that web server and no other network resources. The problem, for me anyway, is that the http server is a hop away from our Internet connection and VPN concentrator, as you can see on the attached map. I can create a separate VPN group and give it a unique network via DHCP so I can restrict that network using an ACL, but am not sure where to place that ACL. The concentrator’s public interface is directly connected to the Internet, and its private connected directly to the LAN, a switch that is then connected to a router. Not the ideal setup, but I didn’t set it up . So if a VPN client comes in, he’s immediately passed to the LAN, a switch, in Atlanta, 10.1.1.0, and from there is sent to the router, 10.1.1.1, which is connected to a frame-relay network that leads to my router and LAN with my http server. What would it take to get this to work?

Thank you,

Bill

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Restricting access for certain VPN clients

a filter can be configured on the concentrator in order to restrict the remote vpn access.

1. create a rule. go configuration | policy management | traffic management | rules

2. create a filter and assign the rule created to the filter. go configuration | policy management | traffic management | filters

3. apply the filter to the group. go configuration | user management | groups | modify | general

5 REPLIES
Silver

Re: Restricting access for certain VPN clients

Bill,

Have you thought about doing the filtering on the Cat 3500?

Looking at your diagram that's the most effective place you can filter this traffic.

You could filter on the 10.1.0.0 LAN default gateway port but I'm sure this would be awkward to get working as this could be defeated by a device on that network running Proxy ARP.

This link should help, its the relevant part of the Cat 3550 configuration guide.

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/scg/swacl.htm

Andy

Gold

Re: Restricting access for certain VPN clients

a filter can be configured on the concentrator in order to restrict the remote vpn access.

1. create a rule. go configuration | policy management | traffic management | rules

2. create a filter and assign the rule created to the filter. go configuration | policy management | traffic management | filters

3. apply the filter to the group. go configuration | user management | groups | modify | general

Community Member

Re: Restricting access for certain VPN clients

that worked great, thank you.

Community Member

Re: Restricting access for certain VPN clients

i have been trying to restrict the vpn access traffice using the rules of the vpn concentrator, but i am unable to restrict the address.If i permit port 80 then all the web services will be accessiable.

is there any way I can restrict access to specified hosts and spefic ports.

Gold

Re: Restricting access for certain VPN clients

follow my previous post, except when applying the filter, go configuration | user management | users | general

140
Views
0
Helpful
5
Replies
CreatePlease to create content