Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restricting remote access so that only certain servers can be accessed

Remote users connect to our corporate LAN using a Cisco VPN client and RSA Secur ID card, which authenticates against our Cisco Secure ACS server and ACE database.

Their IPSEC tunnels terminate on our PIX515E firewall at the head office. The PIX is configured with a pool of IP addresses, which are allocated to these remote users.

We want to allow an external company access to some specific servers on our LAN and want to give them an RSA SecurID card to gain access, in a similar fashion to "normal" remote users.

However, we want to restrict their access so that they can ONLY access the specific servers they should be working on rather than all the devices on our corporate LAN.

What are the best/recommended ways of achieving this?

Thanks.

5 REPLIES

Re: Restricting remote access so that only certain servers can b

Hi

I will think off using a seperate pool for the new RAVPN connections from the external company so that you can throw off an ip from that pool.

Based on the new pool of ips create the ACL entries accordingly as per the access requirement and apply it.

regds

Re: Restricting remote access so that only certain servers can b

Hello,

you can define access-lists for users and download them through RADIUS to the PIX. The pros and cons for different options are descibed in the Sample Configuration Guide for Cisco Secure ACS and PIX Firewall in section "ACLs with RADIUS" at

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd703.html

Also have a look at "Inbound RADIUS AAA with Remote Cisco Secure ACS Administration", which gives a hint on how to achieve what you would like to do. You need to adjust the ACLs to your requirements.

Hope this helps!

Regards, Martin

New Member

Re: Restricting remote access so that only certain servers can b

Thats correct this is working for me....In fact you can define the applicative port to use ...and you can define many ACL's for diferent's access type or vendors using the same pool... the only thing is if the RSA still working with the RADIUS ACL...

Regards

JCar

New Member

Re: Restricting remote access so that only certain servers can b

I've followed the instruction to a tee using AV pairs and downloadable ACLs. Neither is working for me. Traffic passes to the client flawlessly from everywhere, apparently using the dynamic ACL in lieu of the downloaded one.

Would you mind sharing some of the more important bits of your PIX and ACS configuration?

ovt Bronze
Bronze

Re: Restricting remote access so that only certain servers can b

Be aware of the following drawback if using downloadable ACLs:

http://www.securityfocus.com/bid/16025/references

116
Views
16
Helpful
5
Replies
CreatePlease login to create content