cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
492
Views
0
Helpful
0
Replies
salman abid
Beginner

Need to restrict internet access of users by using ezvpn

Hi,

I'm using EZVPN and having a issue. I want to restrict the internet access of LAN users on spoke side. Our ISP have given us some public IPs so any traffic should go first to these IPs. I have mentioned those public IP with their port number in NAT statement but still users have open internet access.

Now my question is

after putting the access-list on spoke side do i need to restart router once????????

because in case of ezvpn i have experienced one thing that if we put any changes on HUB devices then it'll only effect on spoke untill or unless we restart the spoke device

below i have mentioned the configurations of HUB and spoke

HUB = ASA5520

Spoke = cisco877 router

ASA5520:-

access-list inside_access_in extended permit ip 10.6.14.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_access_in extended permit ip 10.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.6.14.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list inside_nat0_outbound extended permit ip 10.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0

access-list Outside_cryptomap_dyn_430 extended permit ip any 192.168.1.0 255.255.255.0

access-list splittunnelacl_Alqouz_warehouse extended permit ip 10.6.14.0 255.255.255.0 192.168.1.0 255.255.255.0

access-list splittunnelacl_Alqouz_warehouse extended permit ip 10.1.0.0 255.255.0.0 192.168.1.0 255.255.255.0

ip local pool alquoz 192.168.1.1-192.168.1.254 mask 255.255.255.0

group-policy ALQUOZ internal

group-policy ALQUOZ attributes

wins-server value 192.xx.xx.xx 192.xx.xx.xx

dns-server value 192.xx.xx.xx 192.xx.xx.xx

vpn-access-hours none

vpn-simultaneous-logins 20

vpn-idle-timeout none

vpn-session-timeout none

vpn-tunnel-protocol IPSec

ip-comp disable

re-xauth disable

pfs enable

ipsec-udp disable

split-tunnel-policy tunnelspecified

split-tunnel-network-list value splittunnelacl_Alqouz_warehouse

default-domain value jashanmal.org

secure-unit-authentication disable

user-authentication disable

user-authentication-idle-timeout none

ip-phone-bypass disable

leap-bypass disable

nem enable

tunnel-group ALQUOZ type remote-access

tunnel-group ALQUOZ general-attributes

address-pool alquoz

default-group-policy ALQUOZ

Router cisco877:-

Current configuration : 3376 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname *****

!

boot-start-marker

boot system flash:c870-advipservicesk9-mz.124-11.T.bin

boot-end-marker

!

no logging console

enable secret xxxxxxxxxxxxxxx

!

no aaa new-model

ip cef

!

ip dhcp excluded-address 192.168.1.1 192.168.1.10

ip dhcp excluded-address 192.168.1.21

ip dhcp excluded-address 192.168.1.140 192.168.1.151

ip dhcp excluded-address 192.168.1.12

ip dhcp excluded-address 192.168.1.62

ip dhcp excluded-address 192.168.1.250

!

ip dhcp pool mypool

   import all

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   option 150 ip 10.xx.xx.xx 10.xx.xx.xx

!

!

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!

!

!

crypto ipsec client ezvpn jashanvpn

connect auto

group ALQUOZ key xxxxxxxxxx

mode network-extension

peer 83.xx.xx.xx

xauth userid mode interactive

!

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

no snmp trap link-status

pvc 0/50

  encapsulation aal5snap

  protocol ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

description -----CONNECTED WITH ONT------

switchport access vlan 2

!

interface FastEthernet3

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

crypto ipsec client ezvpn jashanvpn inside

!

interface Vlan2

description -----connected to internet----

no ip address

ip nat outside

ip virtual-reassembly

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Dialer0

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname xxxxxxx

ppp chap password xxxxxx

ppp pap sent-username xxxxxx password xxxxxxxxx

crypto ipsec client ezvpn jashanvpn

!

interface Dialer1

no ip address

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

!

no ip http server

no ip http secure-server

ip dns view ezvpn-internal-view

domain name-server  10.xx.xx.xx

domain name-server  10.xx.xx.xx

ip nat inside source route-map nonat interface Dialer0 overload

!

access-list 110 deny   ip 192.168.1.0 0.0.0.255 10.6.14.0 0.0.0.255

access-list 110 deny   ip 192.168.1.0 0.0.0.255 10.1.0.0 0.0.255.255

access-list 110 permit tcp 192.168.146.0 0.0.0.255 host 86.xx.xx.xx eq 10008      <=====   Public IPs given by ISP

access-list 110 permit tcp 192.168.146.0 0.0.0.255 host 86.xx.xx.xx eq 10008

access-list 110 permit tcp 192.168.146.0 0.0.0.255 host 216.xx.xx.xx eq www

access-list 110 permit tcp 192.168.146.0 0.0.0.255 host 199.xx.xx.xx eq www

access-list 110 permit tcp 192.168.146.0 0.0.0.255 host 199.xx.xx.xx eq www

access-list 110 permit tcp 192.168.146.0 0.0.0.255 host 199.xx.xx.xx eq www

access-list 110 permit tcp 192.168.146.0 0.0.0.255 host 199.xx.xx.xx eq www

dialer-list 1 protocol ip permit

snmp-server community xxxx RO

snmp-server location -------ALQUOZ WH----

snmp-server enable traps tty

snmp-server enable traps cpu threshold

snmp-server enable traps syslog

snmp-server host 10.xx.xx.xx version 2c jash

!

!

!

route-map nonat permit 10

match ip address 110

!

!

control-plane

!

!

line con 0

password xxxxxxxxxx

login

no modem enable

line aux 0

line vty 0 4

password xxxxxxxxxx

login

!

scheduler max-task-time 5000

end

0 REPLIES 0
Content for Community-Ad