Cisco ACL for VPN users

[Jax22]

I got a client who must not be able to access anything but a single webserver on the lan (where he logs in through VPN).

crypto isakmp client configuration group myclient
key mysecretkey
pool client-ippool
include-local-lan
netmask 255.255.255.0
acl myclient-firewall

ip access-list extended myclient-firewall
permit tcp any host 192.168.1.10 eq www
deny ip any any


Now I would assume this works like charm but it doesn't. With these settings the client will be able to access ANYTHING on the lan and the funny thing is that if I remove the "deny ip any any" rule then it won't access anything including the target webserver...

 

[burtsbees]

Post the entire config---looks like the vpn subnet may be natted?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Jax22]

OK I will post the config later. Yes it's natted what's surprising in that?
The router basically gives every client an ip from the 192.168.1.X pool.

 

[burtsbees]

The vpn subnet cannot be natted---you will not have access to inside LAN resources.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Jax22]

Yeah I mean the network is natted. The simplified network schematic is basically this:


Internet--ROUTER1--SWITCH
-VPN ROUTER 192.168.1.2
-LAN WEBSERVER 192.168.1.10

And there is no problem with the network access whatsoever, the problem is only with the ACL which is set up on the VPN router to allow access to the webserver on the lan.

 

[burtsbees]

OK---post the config when you get a chance...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Jax22]

Hi

I solved it eventually. The thing is that ACL is for something else.

In my case Ethernet0 was the LAN interface and Ethernet1 was the IPSEC interface.

So basically setting 2 access-group acls for the Ethernet0 (in/out) and filtering the clients traffic there solved the problem.

 

[burtsbees]

Grrrrreat!

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[imbadatthis]

burt , ispking correct me if im wrong, but isn't that acl inside the crypto map defining 'interesting' traffic and not really blocking anything ?

 

[unclerico]

it is enabling split-tunnelling

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

Yup.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[ISPKing]

I agree again with burts and unclerico/

CCNP