Contrlloling access using VPN

sunilyk · ‎12-24-2003

Hi,

I have Cisco PIX 515 firewall. It has been configured for VPN access. The remote desktops connects using Cisco VPN client software. Remote users are able to access the servers residing on the inside segments.

Now I want to restrict their access to perticular ports e.g 80, 21 etc. (Right now they have full access). My question is how can I achieve this ???

Where I should call or bind the access list ???

(Presently I am using one access-list which is used for no nat config and split tunnel config in vpngroup.)

Please advice.

Regards,

mostiguy · ‎12-24-2003

What you can do is add an access list to the inside interface of your pix, and restrict traffic from your servers to the ip netblock range that you assign to your vpn users.

Lets assume you currently are not filtering outbound access (you don't have an ACL attached tothe inside int), and that you are using 192.168.0.0/24 for vpn users, and your servers are using 192.168.1.0/24. 192.168.1.5 is a web server. 192.168.1.4 is a smtp and pop3 mail server.

access-list insideoutblock permit tcp host 192.168.1.5 eq 80 192.168.0.0 255.255.255.0

access-list insideoutblock permit tcp host 192.168.1.4 eq 25 192.168.0.0 255.255.255.0

access-list insideoutblock permit tcp host 192.168.1.4 eq 110 192.168.0.0 255.255.255.0

access-list insideoutblock deny ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

access-list insideoutblock permit ip any any

The first three lines allow some return traffic from your servers to the vpn users. The 4th line blocks all traffic from server to vpn users that does not match one of the first 3 lines. The 5th line allows your servers to make unhindered connections to the internet in the outbound direction - inbound access to them by internet hosts is still limited by the ACL attached to the outside pix interface

sunilyk · ‎12-24-2003

Thanks a lot !

So I should add this to the outbound access-list.

(While keeping all the other config same. E.g

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list 101

and other vpngroup definitions)

I will try this config and get back to you.

Regards,

Sunil

sunilyk · ‎12-25-2003

Hi,

I tried the configuration, but still its not working.

Please see the following config.

access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0

nat (inside) 0 access-list 101

access-list acl_in permit tcp 192.168.1.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 21

and the other isakmp and vpngroup config.

After various tries what I found is that I am not getting any hit count against the access-list applied to the inside interface, while access-list 101 is getting executed (hitcount).

Any idea, how this problem to be solved ?

Regards,

mostiguy · ‎12-26-2003

did you use an access-group command to bind the acl to the inside interface?

sunilyk · ‎12-27-2003

Hi,

Yes,the access-lists are bound correctly.

Important thing is the problem is solved now.

I applied the access-list to outside interface.

e.g:

access-list acl_out permit tcp 192.168.0.0 255.255.255.0 192.168.1.0 255.255.255.0 eq 21

and remove the sysopt connection statement.

And it works to restrict the access for VPN users.

Thanks a lot for your info.

Regards,

Sunil