01-12-2009 09:47 AM
We use a 3000 series concentrator to all certain users access to a restricted part of our network.
It has been setup to allow PC's to also communicate with our private addresses (a class B).
I need to deny access to a couple of IP's internally (within the class B).
Is there a way to deny access to those IP's specifically, or do I have to go in and completely re-construct the allow lists?
Solved! Go to Solution.
01-12-2009 09:53 AM
The most coherent way to do this is to use Filters and rules to deny traffic to these IP Addresses, check the following link for that:
http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/polmgt.html
Create rules and add them to a filter that then can be applied to the Group that those clients are connecting to.
On a different approach, if these vpn clients are using TunnelAll as the split tunnel policy, you can change the policy to be "exclude networks in the list to bypass the tunnel" and use a network list (that will contain those restricted hosts) then when traffic is intended for those hosts, the VPN client will not tunnel that traffic. FYI this will send traffic for those hosts with that SPLIT TUNNEL Policy to be sent int plain text, not routed, but sent in plain text by the vpn client.
01-12-2009 09:53 AM
The most coherent way to do this is to use Filters and rules to deny traffic to these IP Addresses, check the following link for that:
http://www.cisco.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/polmgt.html
Create rules and add them to a filter that then can be applied to the Group that those clients are connecting to.
On a different approach, if these vpn clients are using TunnelAll as the split tunnel policy, you can change the policy to be "exclude networks in the list to bypass the tunnel" and use a network list (that will contain those restricted hosts) then when traffic is intended for those hosts, the VPN client will not tunnel that traffic. FYI this will send traffic for those hosts with that SPLIT TUNNEL Policy to be sent int plain text, not routed, but sent in plain text by the vpn client.
01-12-2009 12:56 PM
I created two rules, one for each of the IP's to block. I set the source to the "specific IP" and the destination to any IP.
I applied the rule to the filter.
How do I apply the filter to a group?
Thanks for you patience.
01-12-2009 01:04 PM
You need to go to Configuration | User Management, chose the group you need and edit it, then once it has been edited, you go to the General Tab and in there you have the option to specify the filter you want to use. Note be very sure that your filter and rules are set correctly else your CVPN will not pass traffic for that specific group.
01-12-2009 01:29 PM
Thank you for that information.
I have the two rules to drop traffic (inbound) sourcing from those IP's to any destination then the two rules for any IP inbound or outbound in the VPN client filter.
I am going on the assumption that it follows the rule list like an ACL, top down and first hit follows that rule.
I applied that filter to a group, but they are still receiving traffic from those two IP's.
Our proxy servers are communicating to the PC's on their regular DHCP address, not their VPN address.
Any other ideas?
01-12-2009 01:42 PM
Mhhh can you by any chance paste or upload your filter and rules setup, did you reconnect your vpn client after applying this filter?
01-12-2009 01:51 PM
Yes, I did disconnect and reconnect after making changes.
Attached are screenshots of one ISA rule, the only difference is the souce IP on the second rule is 91 for the last octect.
01-12-2009 01:57 PM
Ok, Try changing the source to be any and the destination to be your ISA box, VPN filters are sourced towards the group, in this case from the vpn pool towards the internal network.
01-12-2009 02:07 PM
I tried reversing the source and destinations and the associated wildcard masks.
Still no dice, they can communicate with the proxies.
01-12-2009 02:12 PM
Can you put a screenshot of your VPNGroup for the general setup where it show how the filter is applied?
01-12-2009 02:16 PM
We have several groups. This is the group I have been testing on. I made sure my "Test subject" is in the group I applied the policy to.
01-12-2009 02:19 PM
All looks good here, what is the default action of your filter? I would advise you to use a different filter than the ones that the CVPN has already defined there, not saying that is the reason but using a predefined one could cause an issue.
01-12-2009 02:32 PM
OK, I created a new filter.
I told it to forward traffic if none of the rules apply then just added the drop rules for the ISA's.
That did not work. Then I tried switching the source and destinations and that did not work either.
Any other ideas?
01-12-2009 02:36 PM
Sorry, I am out of Ideas here, this should work as I have implemented it several times.
If this is not working yet you might want to have a case with the TAC to check this out, or you can try to use this split tunnel policy thought I had before too.
01-13-2009 07:31 AM
Well I did it the "Hard way". In the allowed networks, I added multiple networks up to the proxy address, then skipped them and added networks after them.
Basically,instead of
x.x.x.0/0.0.127.255
I used:
x.x.x.0/0.0.0.63
x.x.x.64/0.0.0.15
x.x.x.80/0.0.0.7
x.x.x.88/0.0.0.1
x.x.x.92/0.0.0.3
x.x.x.96/0.0.0.31
x.x.x.128/0.0.0.127
x.x.1.0/0.0.0.255
x.x.2.0/0.0.1.255
x.x.4.0/0.0.3.255
x.x.8.0/0.0.7.255
x.x.16.0/0.0.15.255
x.x.32.0/0.0.31.255
x.x.64.0/0.0.63.255
So far so good.
I really appreciate your efforts on trying to help with this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide