Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco PIX Restrict VPN Client to One IP Address

Status
Not open for further replies.
mxmaniac

mxmaniac

MIS
Nov 4, 2002
2
US
I am trying to figure out how to create a new vpngroup that will just have access to one IP on the LAN. The VPNgroup I setup for the remote users works fine. The IP I need to have access to is 10.100.1.60

Here is the config

PIX Version 6.1(4)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security10
enable password Wqp2ym2MWAZGl3us encrypted
passwd 3Ymag9g0yylKPFQy encrypted
hostname JJPIX01
domain-name jjj.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list 100 permit ip 10.100.20.0 255.255.254.0 10.10.10.0 255.255.255.0
pager lines 24
logging on
logging buffered informational
logging trap informational
logging history informational
logging host inside 10.100.20.77
no logging message 106011
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 12.26.12.71 255.255.255.255
ip address inside 10.100.20.62 255.255.255.0
ip address dmz 192.168.2.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool jjjjj 10.10.10.1-10.10.10.20
ip local pool ggggg 10.10.11.1-10.10.11.20
pdm location 10.200.20.0 255.255.255.255 outside
pdm location 10.200.21.0 255.255.255.255 outside
pdm location 10.100.20.70 255.255.255.255 inside
pdm location 10.100.20.71 255.255.255.255 inside
pdm location 10.100.20.74 255.255.255.255 inside
pdm location 10.100.20.75 255.255.255.255 inside
pdm location 10.100.20.76 255.255.255.255 inside
pdm location 10.100.20.77 255.255.255.255 inside
pdm location 10.100.20.82 255.255.255.255 inside
pdm location 10.100.20.113 255.255.255.255 inside
pdm location 10.100.20.211 255.255.255.255 inside
pdm location 192.168.2.67 255.255.255.255 dmz
pdm location 192.168.2.68 255.255.255.255 dmz
pdm location 192.168.2.69 255.255.255.255 dmz
pdm location 192.168.2.70 255.255.255.255 dmz
pdm location 192.168.2.75 255.255.255.255 dmz
pdm location 192.168.2.80 255.255.255.255 dmz
pdm location 192.168.2.81 255.255.255.255 dmz
pdm location 192.168.2.82 255.255.255.255 dmz
pdm location 192.168.2.83 255.255.255.255 dmz
pdm location 192.168.2.84 255.255.255.255 dmz
pdm location 192.168.2.86 255.255.255.255 dmz
pdm location 192.168.2.87 255.255.255.255 dmz
pdm location 192.168.2.88 255.255.255.255 dmz
pdm location 209.123.44.0 255.255.255.0 outside
pdm location 10.100.20.0 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 11.25.11.66
global (dmz) 1 192.168.2.60-192.168.2.90
nat (inside) 0 access-list 100
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 192.168.2.0 255.255.255.0 0 0
static (dmz,outside) tcp 11.25.11.67 255.255.255.255 0 0
static (dmz,outside) tcp 11.25.11.68 255.255.255.255 0 0
static (dmz,outside) tcp 11.25.11.69 255.255.255.255 0 0
static (dmz,outside) tcp 11.25.11.70 255.255.255.255 0 0
static (dmz,outside) tcp 11.25.11.75 255.255.255.255 0 0
static (dmz,outside) tcp 11.25.11.80 255.255.255.255 0 0
static (dmz,outside) tcp 11.25.11.81 255.255.255.255 0 0
static (dmz,outside) tcp 11.25.11.82 255.255.255.255 0 0
static (dmz,outside) tcp 11.25.11.83 255.255.255.255 0 0
static (dmz,outside) tcp 11.25.11.84 255.255.255.255 0 0
static (dmz,outside) tcp 11.25.11.86 255.255.255.255 0 0
static (dmz,outside) tcp 11.25.11.87 255.255.255.255 0 0
static (dmz,outside) tcp 11.25.11.88 255.255.255.255 0 0
static (dmz,outside) tcp 11.25.11.67 3389 192.168.2.67 3389 netmask 255.255.255.255 0 0
static (inside,outside) 11.25.11.77 10.100.20.75 netmask 255.255.255.255 0 0
static (inside,outside) 11.25.11.72 10.100.20.70 netmask 255.255.255.255 0 0
static (inside,outside) 11.25.11.73 10.100.20.71 netmask 255.255.255.255 0 0
static (inside,outside) 11.25.11.85 10.100.20.74 netmask 255.255.255.255 0 0
static (inside,dmz) 10.100.20.75 10.100.20.75 netmask 255.255.255.255 0 0
static (inside,dmz) 10.100.20.74 10.100.20.74 netmask 255.255.255.255 0 0
static (inside,outside) 11.25.11.93 10.100.20.82 netmask 255.255.255.255 0 0
static (inside,outside) 11.25.11.92 10.100.20.211 netmask 255.255.255.255 0 0
static (inside,outside) 11.25.11.110 10.100.20.77 netmask 255.255.255.255 0 0
static (inside,dmz) 10.100.20.70 10.100.20.70 netmask 255.255.255.255 0 0
static (inside,dmz) 10.100.20.76 10.100.20.76 netmask 255.255.255.255 0 0
static (inside,dmz) 10.100.20.71 10.100.20.71 netmask 255.255.255.255 0 0
static (inside,dmz) 10.100.20.113 10.100.20.113 netmask 255.255.255.255 0 0
static (inside,outside) 11.25.11.76 10.100.20.66 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 11.25.11.85 eq 1352 any
conduit permit tcp host 11.25.11.77 eq 1352 any
conduit permit tcp host 11.25.11.77 eq smtp any
conduit permit tcp host 11.25.11.73 eq smtp any
conduit permit tcp host 11.25.11.73 eq 1352 any
conduit permit tcp host 11.25.11.67 eq conduit permit tcp host 11.25.11.68 eq conduit permit tcp host 11.25.11.69 eq conduit permit tcp host 11.25.11.70 eq conduit permit tcp host 11.25.11.75 eq conduit permit tcp host 11.25.11.80 eq conduit permit tcp host 11.25.11.81 eq conduit permit tcp host 11.25.11.82 eq conduit permit tcp host 11.25.11.83 eq conduit permit tcp host 11.25.11.84 eq conduit permit tcp host 11.25.11.86 eq conduit permit tcp host 11.25.11.87 eq conduit permit tcp host 11.25.11.88 eq conduit permit tcp host 11.25.11.77 eq conduit permit tcp host 11.25.11.77 eq 443 any
conduit permit tcp host 11.25.11.73 eq 443 any
conduit permit tcp host 11.25.11.73 eq conduit permit tcp host 10.100.20.75 eq 1352 host 192.168.2.67
conduit permit tcp host 10.100.20.75 eq smtp host 192.168.2.67
conduit permit tcp host 11.25.11.93 eq 65301 any
conduit permit udp host 11.25.11.93 eq 5632 any
conduit permit tcp host 11.25.11.93 eq 5631 any
conduit permit udp host 11.25.11.93 eq 22 any
conduit permit udp host 11.25.11.85 eq 22 any
conduit permit tcp host 11.25.11.85 eq 5631 any
conduit permit udp host 11.25.11.85 eq 5632 any
conduit permit tcp host 11.25.11.85 eq 65301 any
conduit permit tcp host 11.25.11.92 eq 65301 any
conduit permit udp host 11.25.11.92 eq 5632 any
conduit permit tcp host 11.25.11.92 eq 5631 any
conduit permit udp host 11.25.11.92 eq 22 any
conduit permit tcp host 11.25.11.110 eq 3389 any
conduit permit tcp host 10.100.20.74 eq 1433 host 192.168.2.67
conduit permit tcp host 192.168.2.0 eq 10.200.20.0
conduit permit tcp host 192.168.2.0 eq 10.200.21.0
conduit permit tcp host 10.100.20.70 eq 137 host 192.168.2.67
conduit permit tcp host 10.100.20.70 eq 138 host 192.168.2.67
conduit permit tcp host 10.100.20.70 eq 139 host 192.168.2.67
conduit permit tcp host 10.100.20.70 eq 135 host 192.168.2.67
conduit permit udp host 10.100.20.70 eq netbios-ns host 192.168.2.67
conduit permit udp host 10.100.20.70 eq netbios-dgm host 192.168.2.67
conduit permit tcp host 11.25.11.76 eq 6000 any
conduit permit tcp host 11.25.11.76 eq 5007 any
conduit permit tcp host 10.100.20.70 eq 6050 host 192.168.2.67
conduit permit udp host 10.100.20.70 eq 41524 host 192.168.2.67
conduit permit tcp host 10.100.20.113 eq 9100 host 192.168.2.67
conduit permit tcp host 11.25.11.67 eq 3389 any
route outside 0.0.0.0 0.0.0.0 11.25.11.65 1
route inside 10.1.1.0 255.255.255.0 10.1.1.1 1
route inside 10.100.1.0 255.255.255.0 10.100.1.1 1
route inside 10.100.20.0 255.255.254.0 10.100.20.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.200.20.0 255.255.255.0 inside
http 10.100.20.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup rr address-pool jjjjj
vpngroup rr dns-server 12.127.17.72 12.127.16.68
vpngroup rr wins-server 10.100.20.70
vpngroup rr split-tunnel 100
vpngroup rr idle-time 72000
vpngroup rr password ********
vpngroup dns-server idle-time 1800
vpngroup idle-time idle-time 1800
vpngroup gsrm address-pool gsrm
vpngroup gsrm dns-server 12.127.17.72 12.127.16.68
vpngroup gsrm wins-server 10.100.20.70
vpngroup gsrm split-tunnel 100
vpngroup gsrm idle-time 72000
vpngroup gsrm password ********
telnet 10.100.20.0 255.255.254.0 inside
telnet timeout 5
ssh timeout 5
terminal width 80
Cryptochecksum:155c8b6cf9f463a98e8c285dee8fd824

Any help would be appreciated

Thanks

K..
 
Sort by date Sort by votes
Have you tried something like this....

access-list 100 permit ip host 10.100.1.60 192.168.1.0 255.255.255.0

ip local pool xxx 192.168.1.1-192.168.1.10

vpngroup xxx address-pool xxx
vpngroup xxx dns-server 12.127.17.72 12.127.16.68
vpngroup xxx wins-server 10.100.20.70
vpngroup xxx split-tunnel 100
vpngroup xxx idle-time 72000
vpngroup xxx password ********



----

Sunyasee B-)
 
Upvote 0 Downvote
HI.

I think that using split-tunnel is a good idea, did it work for you?

Another option is to use access-list or conduit commands to control the traffic from VPN clients, in the same way that you control other traffic.
For this to work you need to disable this:
> sysopt connection permit-ipsec
And start adding rules for VPN clients.

Do you plan to switch from conduit to access-list commands?

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
I called Cisco and they had me add an additional access-list 100 line and it worked. Also, I had to do the "ip classless" command on 2 of my routers in between the PIX and the server.

It is working great now, thanks for your suggestions
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
716
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
609
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
603
intel233
intel233
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
546
XLNTech1
XLNTech1
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
162
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top