Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Restricting VPN Client access

Status
Not open for further replies.
lickm

lickm

MIS
Oct 6, 2003
4
US
Hi,

I am trying to create VPN Remote Access groups with limited access to our network. When I have the IPSEC rules allowing anything, it works without any problem. But as soon as I restrict the selected IP Pool to a specific resource, I am no longer able to log in. If I put a drop rule in following the above rule, I see the hitcount rise everytime I attempt to login. Any ideas what is being dropped not allowing me to login?

Thanks for your assistance,

Matt
 
Sort by date Sort by votes
Notes about my config:

The RA-VPN pool works without any issues. I am unable to login to the "test-deny" group. If I remove the restriction to the 64.1 device, I am then able to log in to the group. I am creating this config mostly through the PDM.

Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 3.0(1)

sysopt connection permit-ipsec

access-list inside_outbound_nat0_acl line 1 permit ip any RA_VPN 255.255.255.240 (hitcnt=37)
access-list inside_outbound_nat0_acl line 2 permit ip host x.x.64.1 x.x.7.16 255.255.255.240 (hitcnt=0)

access-list outside_cryptomap_dyn_10 line 1 permit ip any RA_VPN 255.255.255.240 (hitcnt=30)
access-list outside_cryptomap_dyn_10 line 2 permit tcp host x.x.64.1 x.x.7.16 255.255.255.240 eq

crypto dynamic-map outside_dyn_map 10 match address outside_cryptomap_dyn_10
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside

isakmp enable outside
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

vpngroup test1 address-pool RA-VPN
vpngroup test1 dns-server x.x.x.x
vpngroup test1 default-domain xxx.org
vpngroup test1 idle-time 1800
vpngroup test1 password ********

vpngroup testdeny address-pool test-deny
vpngroup testdeny dns-server x.x.x.x
vpngroup testdeny default-domain xxx.org
vpngroup testdeny idle-time 1800
vpngroup testdeny password ********
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
795
Shmid
Shmid
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
650
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
231
gkittelson
gkittelson
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
178
WhosYourDiffie
WhosYourDiffie
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
150
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top