Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
443
Views
0
Helpful
4
Replies

VPN 3005 -limiting network access

rgonzaga
Level 1
Level 1

‎02-18-2002 07:56 AM - edited ‎02-21-2020 11:36 AM

Is there any way to limit groups so they can only access certain IP addresses? I want to limit a certain user to access only one server.

Also, what can the split tunneling policy do for me?

Thanks for any help.

Labels:
0 Helpful
4 Replies 4

chlovell
Level 1
Level 1

‎02-19-2002 11:16 AM

Split tunneling will allow your clients to access the internet or local lan while they use the vpn but this is a security concern. With the group you are configuring make a network list and put that specific server in the list. Then apply this list to the group under (only tunnel networks in list)

0 Helpful

awaheed
Cisco Employee
Cisco Employee

‎02-19-2002 04:56 PM

Gonazga,

Additionally if you want to apply Filter rules on the Private Interface to allow the traffic to be checked before it goes into the Network. You can make the Rules for the IP Addresses of the users coming in and only allow for specific Servers rather then for the whole Network.

Hope it makes sense,

Regards,

Aamir Waheed,

Cisco Systems, Inc.

0 Helpful

lbednar
Level 1
Level 1
In response to awaheed

‎02-22-2002 08:08 AM

Slightly confused here. I have a similar situation. I want to lock down a VPN group to one internal IP address/server only. No access to the rest of the LAN whatsoever. Can I do this and if so, how? (Cisco 3000 series).

Thanks for any help or pointers.

0 Helpful

noc
Level 1
Level 1
In response to lbednar

‎03-02-2002 08:22 PM

very simple.. dosen't require "filters" on the private interface or anything crazy. what you can do

is make a new group (say the "remoteconsultant" group).

For this group make a new network list under

Configuration | Policy Management | Traffic Management | Network Lists

now in this list, only include the 1 ip address

you want these people to speak to.

10.0.1.15/0.0.0.0

now when they connect up to the concentrator, their

client will be told to only send data for this

single internal host to the concentrator (everything else will go to their default gateway).

Now I don't know if the connecting user can set up an nt route add statement or something to force the rest of the subnet through his client to concentrator tunnel ? However if you have a pix or router behind your concentrator, you can of course

enforce the "single-host only tunnel" with an access

list.

Another option, is giving the single host you want the guy to talk to a secondary ip address, and use this new subnet as his ip address specified when

that user connects... like make a new subnet from your internal subnet just for him and your 1 server.

0 Helpful
Customers Also Viewed These Support Documents