Have a quick question with VPN Grou

[TheStressFactor]

Have a quick question with VPN Groups.

I was wondering if anyone can offer any advice on the following scenario we are trying to implement.

We are trying to create a second vpn group that will only have access to our 192.168.3.0 network and will only have access to terminal services (3389).

Can anyone offer any suggestion on the best way to implement this and the proper syntax to add to our configuration.

The configuration is posted below.

Thank you very much.


PIX Version 6.3(1)
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password encrypted
passwd encrypted
hostname mypix
domain-name mydomain.com
clock timezone EST -5
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
no fixup protocol http 80
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list nonat permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.100.0 255.255.255.
0
access-list nonat permit ip 192.168.77.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 192.168.20.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 192.168.5.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 192.168.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list split permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list split permit ip 192.168.77.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list split permit ip 192.168.20.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list split permit ip 192.168.0.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list split permit ip 192.168.5.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list outside permit tcp any host x.x.x.x eq smtp
access-list outside permit tcp any host x.x.x.x eq https
pager lines 24
logging on
logging timestamp
logging buffered debugging
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.x x.x.x.x
ip address inside x.x.x.x x.x.x.x
ip verify reverse-path interface outside
ip verify reverse-path interface inside
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.1.1-10.1.1.50
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
nat (inside) 1 192.168.7.0 255.255.255.0 0 0
nat (inside) 1 192.168.20.0 255.255.255.0 0 0
nat (inside) 1 192.168.77.0 255.255.255.0 0 0
static (inside,outside) tcp X.X.X.X https 192.168.3.X https netmask 255.255.255.255 0 0
static (inside,outside) tcp x.x.x.x smtp 192.168.3.x smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 63.102.156.68 smtp 192.168.77.250 smtp netmask 255.2
55.255.255 0 0
static (inside,outside) tcp x.x.x.x 3389 192.168.3.9 3389 netmask 255.255.
255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host 192.168.3.x timeout 10
url-server (inside) vendor websense host 192.168.3.x timeout 5 protocol TCP version 4
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set marinohome esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set marinohome
crypto map testmap 30 ipsec-isakmpcrypto map testmap 999 ipsec-isakmp dynamic dynmap
crypto map testmap client authentication partnerauth
crypto map testmap interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication rsa-sig
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 1
isakmp policy 10 lifetime 86400
isakmp policy 999 authentication pre-share
isakmp policy 999 encryption des
isakmp policy 999 hash md5
isakmp policy 999 group 2
isakmp policy 999 lifetime 86400
vpngroup marino address-pool ippool
vpngroup marino dns-server 192.168.3.x 192.168.3.x
vpngroup marino wins-server 192.168.3.x 192.168.3.x
vpngroup marino default-domain marinoware.com
vpngroup marino split-tunnel split
vpngroup marino idle-time 2000
vpngroup marino authentication-server partnerauth
vpngroup marino user-authentication
vpngroup marino device-pass-through
vpngroup marino password
telnet 192.168.3.0 255.255.255.0 inside
console timeout 0
url-block url-mempool 1500
url-block url-size 4
terminal width 80

 

[EddieVenus]

sure, try this. add these lines


access-list nonat permit tcp 192.168.3.0 255.255.255.0 eq 3389 10.1.2.0 255.255.255.0 eq 3389
access-list split permit tcp 192.168.3.0 255.255.255.0 eq 3389 10.1.1.0 255.255.255.0 eq 3389
ip local pool TSpool 10.1.2.1-10.1.2.50
vpngroup TSonly address-pool TSpool
vpngroup TSonly dns-server 192.168.3.x 192.168.3.x
vpngroup TSonly wins-server 192.168.3.x 192.168.3.x
vpngroup TSonly default-domain marinoware.com
vpngroup TSonly split-tunnel split
vpngroup TSonly idle-time 2000
vpngroup TSonly authentication-server partnerauth
vpngroup TSonly user-authentication
vpngroup TSonly device-pass-through
vpngroup TSonly password

I have not added an access list for terminal services before but if 3389 is both the incoming and outgoing ports you are fine, if not you will need to adjust accordingly above. either way this access list will now not NAT anything other than terminal services traffic to the 10.1.2.0 network. In fact anything else should not even try coming accross the tunnel as it is split tunneled so that other traffic is left at the VPNclient side.

Good luck with this. if I have misled you I am sorry, but this should be right. Give it a try if you can.

 

[TheStressFactor]

Thank you so much. I have added the syntax. One question on the 2nd line?

access-list split permit tcp 192.168.3.0 255.255.255.0 eq 3389 10.1.1.0 255.255.255.0 eq 3389

Why is it 10.1.1.0 and not 10.1.2.0 ??

Kinda confused on that...

Gonna try it out in a few and I will let you know how it goes.

Thank you very much.

Patrick

 

[TheStressFactor]

Hi,

I have added the lines, and I can connect totthe vpn fine. However I have do ot have access to anything. i cannot ping naything on the 3 network and cannot connect to anything through Terminal Services.

Any ideas?

Patrick