VPN client and access-lists

sasa.rasovic · ‎02-03-2005

Hi,

I cannot seems to find a way to enable access list filtering of vpn-client requests to internal network clients.

Example

:

ip local pool vpn_clients 10.1.1.1-10.1.1.254

access-list 10 permit ip 10.1.2.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list 10

vpngroup group_one address-pool vpn_clients

vpngroup group_one split-tunnel 10

So, when the client is connected how can I say it can access only ports 80 and 443 on the internal 10.1.2.0 subnet.

I know you can do it using ACS, so when the client is authenticated it will automatically download the appropriate acl for it. But, is there a way to do it without aaa server, and even xauth?

Any thoughts?

Sasa

jackko · ‎02-03-2005

by default, the command "sysopt connection permit-ipsec" is on. it means that all vpn traffics are permitted without the check of acl.

with your scenario, you will need to first disable that command "no sysopt connection permit-ipsec". then, you will need to configure appropriate acl and apply it on to the outside interface.

no sysopt connection permit-ipsec

access-l 111 permit tcp 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 eq 80

access-l 111 permit tcp 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 eq 443

access-g 111 in interface outside

by disabling the command "sysopt connection permit-ipsec", it will affect all vpn not only vpn client. that means you have to configure the inbound acl for both lan-lan vpn and remote vpn.

sasa.rasovic · ‎02-04-2005

Thanks Jackko,

Thought of it, but for some reason didn't think disabling sysopt will be the only possible solution.

Good Luck,

Sasa