Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
408
Views
16
Helpful
5
Replies

Restricting remote access so that only certain servers can be accessed

mitchen
Level 2
Level 2

‎01-16-2006 03:36 AM - edited ‎02-21-2020 02:12 PM

Remote users connect to our corporate LAN using a Cisco VPN client and RSA Secur ID card, which authenticates against our Cisco Secure ACS server and ACE database.

Their IPSEC tunnels terminate on our PIX515E firewall at the head office. The PIX is configured with a pool of IP addresses, which are allocated to these remote users.

We want to allow an external company access to some specific servers on our LAN and want to give them an RSA SecurID card to gain access, in a similar fashion to "normal" remote users.

However, we want to restrict their access so that they can ONLY access the specific servers they should be working on rather than all the devices on our corporate LAN.

What are the best/recommended ways of achieving this?

Thanks.

Labels:
0 Helpful
5 Replies 5

spremkumar
Level 9
Level 9

‎01-16-2006 04:20 AM

Hi

I will think off using a seperate pool for the new RAVPN connections from the external company so that you can throw off an ip from that pool.

Based on the new pool of ips create the ACL entries accordingly as per the access requirement and apply it.

regds

mheusinger
Level 10
Level 10
In response to spremkumar

‎01-16-2006 11:32 AM

Hello,

you can define access-lists for users and download them through RADIUS to the PIX. The pros and cons for different options are descibed in the Sample Configuration Guide for Cisco Secure ACS and PIX Firewall in section "ACLs with RADIUS" at

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd703.html

Also have a look at "Inbound RADIUS AAA with Remote Cisco Secure ACS Administration", which gives a hint on how to achieve what you would like to do. You need to adjust the ACLs to your requirements.

Hope this helps!

Regards, Martin

J.altami01
Level 1
Level 1
In response to mheusinger

‎01-16-2006 12:05 PM

Thats correct this is working for me....In fact you can define the applicative port to use ...and you can define many ACL's for diferent's access type or vendors using the same pool... the only thing is if the RSA still working with the RADIUS ACL...

Regards

JCar

mrguitar
Level 4
Level 4
In response to J.altami01

‎01-26-2006 04:30 PM

I've followed the instruction to a tee using AV pairs and downloadable ACLs. Neither is working for me. Traffic passes to the client flawlessly from everywhere, apparently using the dynamic ACL in lieu of the downloaded one.

Would you mind sharing some of the more important bits of your PIX and ACS configuration?

0 Helpful

ovt
Level 4
Level 4
In response to mheusinger

‎01-16-2006 11:41 PM

Be aware of the following drawback if using downloadable ACLs:

http://www.securityfocus.com/bid/16025/references

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents