Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
436
Views
0
Helpful
1
Replies

Implementing Security on Remote user VPN

Shobith K
Level 1
Level 1

‎01-20-2005 06:18 AM

Hi,

I have a pix 515e which is connected to internet and remote user vpn configured. NOW remote users with the cisco vpn client is able to login to the vpn but they have full access to the network. I want to restrict that and i want them to access only certain servers through certain ports. Can anyone help me on this.

Labels:
0 Helpful
1 Reply 1

sachinraja
Level 9
Level 9

‎01-20-2005 10:23 AM

Hi shobithk,

You can restrict users to access only to certain servers. You can do it using the following ways:

1) You can configure/alter the inside access list on the PIX. You can allow access to the IP pool (local) from only specified servers, which will restrict access. for eg, if the server ip is 192.168.1.1 and the IP pool assigned is 10.10.10.0/24, you can add the following on the inside interface:

access-list inside permit ip host 192.168.1.1 10.10.10.0 255.255.255.0 any

other traffic from the IP pool never reaches out of the PIX.

2) If you have a ACS server , you can configure downloadable access-lists, user based. After authentication, ACS will see the user and apply particular access list on the VPN client. You can search for "downloadable ACLs in ACS" topic on CCO.

3) In case, you have a VPN concentrator, you can apply firewall policies for the VPN clients, which will restrict access. Unfortunately, PIX doesnt support this. You should have a VPN 30xx concentrator for this.

4) If needed you can enable split tunneling and restrict access through the IPSEC tunnel. You can configure access-lists, which will allow only the specified traffic to pass through the tunnel. all the other traffic is put onto the LAN card. This is generally not advisible, though !!!

access-list 100 permit ip 10.10.10.0 255.255.255.0 host 192.168.1.1

vpn-group abc split-tunneling 100

thus, traffic only to 192.168.1.1 is allowed on the tunnel. other traffic is blocked.

5) In case you have a layer 3 switch inside, you can restrict the access to the LAN there. you can put ACLs on the VLAN and restrict..

Hope this helps.. you can choose any one of the above solution for your scenario. all the best... rate replies if found useful..

Raj

0 Helpful
Customers Also Viewed These Support Documents