Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN concentrator restrictions

We use a 3000 series concentrator to all certain users access to a restricted part of our network.

It has been setup to allow PC's to also communicate with our private addresses (a class B).

I need to deny access to a couple of IP's internally (within the class B).

Is there a way to deny access to those IP's specifically, or do I have to go in and completely re-construct the allow lists?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: VPN concentrator restrictions

The most coherent way to do this is to use Filters and rules to deny traffic to these IP Addresses, check the following link for that:

http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/polmgt.html

Create rules and add them to a filter that then can be applied to the Group that those clients are connecting to.

On a different approach, if these vpn clients are using TunnelAll as the split tunnel policy, you can change the policy to be "exclude networks in the list to bypass the tunnel" and use a network list (that will contain those restricted hosts) then when traffic is intended for those hosts, the VPN client will not tunnel that traffic. FYI this will send traffic for those hosts with that SPLIT TUNNEL Policy to be sent int plain text, not routed, but sent in plain text by the vpn client.

15 REPLIES
Cisco Employee

Re: VPN concentrator restrictions

The most coherent way to do this is to use Filters and rules to deny traffic to these IP Addresses, check the following link for that:

http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/polmgt.html

Create rules and add them to a filter that then can be applied to the Group that those clients are connecting to.

On a different approach, if these vpn clients are using TunnelAll as the split tunnel policy, you can change the policy to be "exclude networks in the list to bypass the tunnel" and use a network list (that will contain those restricted hosts) then when traffic is intended for those hosts, the VPN client will not tunnel that traffic. FYI this will send traffic for those hosts with that SPLIT TUNNEL Policy to be sent int plain text, not routed, but sent in plain text by the vpn client.

New Member

Re: VPN concentrator restrictions

I created two rules, one for each of the IP's to block. I set the source to the "specific IP" and the destination to any IP.

I applied the rule to the filter.

How do I apply the filter to a group?

Thanks for you patience.

Cisco Employee

Re: VPN concentrator restrictions

You need to go to Configuration | User Management, chose the group you need and edit it, then once it has been edited, you go to the General Tab and in there you have the option to specify the filter you want to use. Note be very sure that your filter and rules are set correctly else your CVPN will not pass traffic for that specific group.

New Member

Re: VPN concentrator restrictions

Thank you for that information.

I have the two rules to drop traffic (inbound) sourcing from those IP's to any destination then the two rules for any IP inbound or outbound in the VPN client filter.

I am going on the assumption that it follows the rule list like an ACL, top down and first hit follows that rule.

I applied that filter to a group, but they are still receiving traffic from those two IP's.

Our proxy servers are communicating to the PC's on their regular DHCP address, not their VPN address.

Any other ideas?

Cisco Employee

Re: VPN concentrator restrictions

Mhhh can you by any chance paste or upload your filter and rules setup, did you reconnect your vpn client after applying this filter?

New Member

Re: VPN concentrator restrictions

Yes, I did disconnect and reconnect after making changes.

Attached are screenshots of one ISA rule, the only difference is the souce IP on the second rule is 91 for the last octect.

Cisco Employee

Re: VPN concentrator restrictions

Ok, Try changing the source to be any and the destination to be your ISA box, VPN filters are sourced towards the group, in this case from the vpn pool towards the internal network.

New Member

Re: VPN concentrator restrictions

I tried reversing the source and destinations and the associated wildcard masks.

Still no dice, they can communicate with the proxies.

Cisco Employee

Re: VPN concentrator restrictions

Can you put a screenshot of your VPNGroup for the general setup where it show how the filter is applied?

New Member

Re: VPN concentrator restrictions

We have several groups. This is the group I have been testing on. I made sure my "Test subject" is in the group I applied the policy to.

Cisco Employee

Re: VPN concentrator restrictions

All looks good here, what is the default action of your filter? I would advise you to use a different filter than the ones that the CVPN has already defined there, not saying that is the reason but using a predefined one could cause an issue.

New Member

Re: VPN concentrator restrictions

OK, I created a new filter.

I told it to forward traffic if none of the rules apply then just added the drop rules for the ISA's.

That did not work. Then I tried switching the source and destinations and that did not work either.

Any other ideas?

Cisco Employee

Re: VPN concentrator restrictions

Sorry, I am out of Ideas here, this should work as I have implemented it several times.

If this is not working yet you might want to have a case with the TAC to check this out, or you can try to use this split tunnel policy thought I had before too.

New Member

Re: VPN concentrator restrictions

Well I did it the "Hard way". In the allowed networks, I added multiple networks up to the proxy address, then skipped them and added networks after them.

Basically,instead of

x.x.x.0/0.0.127.255

I used:

x.x.x.0/0.0.0.63

x.x.x.64/0.0.0.15

x.x.x.80/0.0.0.7

x.x.x.88/0.0.0.1

x.x.x.92/0.0.0.3

x.x.x.96/0.0.0.31

x.x.x.128/0.0.0.127

x.x.1.0/0.0.0.255

x.x.2.0/0.0.1.255

x.x.4.0/0.0.3.255

x.x.8.0/0.0.7.255

x.x.16.0/0.0.15.255

x.x.32.0/0.0.31.255

x.x.64.0/0.0.63.255

So far so good.

I really appreciate your efforts on trying to help with this.

New Member

Re: VPN concentrator restrictions

Thank you for that information.

I have the two rules to drop traffic (inbound) sourcing from those IP's to any destination then the two rules for any IP inbound or outbound in the VPN client filter.

I am going on the assumption that it follows the rule list like an ACL, top down and first hit follows that rule.

I applied that filter to a group, but they are still receiving traffic from those two IP's.

Our proxy servers are communicating to the PC's on their regular DHCP address, not their VPN address.

Any other ideas?

207
Views
0
Helpful
15
Replies