03-29-2007 08:47 AM
Greetings,
I'm attempting to limit access to network resources across a VPN tunnel but can't seem to get it right. Here's the situation...
Network resources:
1 Terminal Server (OKATERM1)
2 DC's + DNS (OKAMAIN1 & OKASQL1)
I want to allow DNS requests to the 2 DC's and RDP access to the Terminal Server for remote VPN clients. Nothing else is needed. My config looks good (to me), but clearly something is wrong. When I setup the VPN tunnel for testing there is full access to all 3 servers.
Any suggestions or comments are appreciated.
Config info follows:
name 192.168.2.11 OKASQL1
name 192.168.2.10 OKAMAIN1
name 192.168.2.12 OKATERM1
access-list compiled
access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host OKAMAIN1 192.168.3.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host OKASQL1 192.168.3.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip host OKATERM1 192.168.3.0 255.255.255.0
access-list outside_cryptomap_dyn_40 remark VPN access to DNS
access-list outside_cryptomap_dyn_40 permit tcp host OKAMAIN1 eq domain 192.168.3.0 255.255.255.0 eq domain
access-list outside_cryptomap_dyn_40 remark VPN access to DNS
access-list outside_cryptomap_dyn_40 permit tcp host OKASQL1 eq domain 192.168.3.0 255.255.255.0 eq domain
access-list outside_cryptomap_dyn_40 remark VPN access to Terminal Server
access-list outside_cryptomap_dyn_40 permit tcp host OKATERM1 eq 3389 192.168.3.0 255.255.255.0 eq 3389
vpngroup VPN-Remote address-pool VPN-IP-POOL
vpngroup VPN-Remote dns-server xxx
vpngroup VPN-Remote default-domain ad.okabstract.com
vpngroup VPN-Remote idle-time 3600
vpngroup VPN-Remote password
04-04-2007 06:26 AM
If you are attempting to limit access to network resources across a VPN tunnel then in the access-list should be denying the traffic to the specified location.
04-04-2007 06:19 PM
gddotts,
Right now you have two ACLs:
access-list inside_outbound_nat0_acl
&
access-list outside_cryptomap_dyn_40
The "inside_outbound_nat0_acl" ACL specifies NOT to translate the traffic to/from the VPN Clients and the LAN.
The "outside_cryptomap_dyn_40" ACL tells the device which traffic to encrypt and send through the tunnel.
Thus, there is nothing right now that tells the device what traffic to allow and deny.
You need to create another ACL and apply that filter to the VPN-Remote group.
Good luck
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide