Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN access on / off switch??

Status
Not open for further replies.
jdl508

jdl508

Technical User
Apr 30, 2001
242
US
Hello, I have a vendor who "has to have" a vpn into our site. Anyway I dont want them going in whenever they want to. I would like to some how have a method of turning on and off the vpn, is there any easy way of doing this or should I just remove the access-list when I dont want access and likewise when I do. This would be a pain but a definite necessary evil. Let me know what you think
\Thanks
jdl
 
Sort by date Sort by votes
I am curious as to why they "have to have" a VPN into you if they are a vendor. I have dealt with a few software comany's that from time to time need access to update software but we just put an ACL in to allow them access only to the machine and resource they need.

I am unaware of an easy way to disable the VPN other than just removing the ACL or the mapping.
 
Upvote 0 Downvote
Unortunately this vendor is constantly patching there app and we are in essence tehre 'test environment' I'm not happy about it but it is what it is (out of my control) anyway I have provided them access to 1 box and they upload / test from there, Now they want emulation access (pcanywhere, citrix, term svcs) not sure which way to go yet but It has to be done. Thanks for the reply.
 
Upvote 0 Downvote
Can you dedicate that one box to them? That way you can give them access to that box but lock that box down so they can't have acces to the rest of your network from there.
 
Upvote 0 Downvote
I think I've read of an option in the PIX device manager that does this, mut confess I've never tried it though.
 
Upvote 0 Downvote
HI.

I agree with "pdk68".

Instead of VPN, you can use a software like PCAW / VNC, configure it NOT to start automaticaly but by user action, and configure proper access list to allow access from the ip of the vendor to the needed host(s) and ports.
That way you have quite a good control on their actions, and from the other hand once the vendor has the access, it is not limitted since you are using remote control. (But still the user sitting by the computer can see what's going on).

However, you can also do it with VPN+XAUTH. If you are using MS W2K IAS (RADIUS) for example, then you can give the vendor a username/password for access, but only enable their account or only allow them "dial in access" from when you want.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
When you say pcany / vpn are you saying create a public static on the pcany box and then just allow the appropriate port through .... OR do I need to setup a vpn which they log into and THEN they aget to the pcany box. If it is the latter that is what I have been trying through a pptp vpn to no avail. They have a cable modem on there end behind a netgear FW. No static IP's.
Thanks for the help everyone!
jdl
 
Upvote 0 Downvote
Should be like this for pcany access:

: Following two access-lists allows Vendor to connect to the PIX
access-list 103 permit tcp host <There IP> host <Your IP> eq <PCany IN Port>
access-list 103 permit tcp host <There IP> host <Your IP> eq <PCany Out Port>

: These two Lines map the PCAny traffic to your inside host
static (inside,outside) tcp <your outside ip> <PCAny in port> <PCAny Server IP> <PCAny in port> netmask 255.255.255.255 0 0
static (inside,outside) tcp <your outside ip> <PCAny out port> <PCAny Server IP> <PCAny out port> netmask 255.255.255.255 0 0

The inbound and outbound ports can be configured in PCAny default for v10.5 is 5631-5632. If they don't have a static IP you can either leave the port open to any, not a good idea, or configure a VPN but set an ACL to only allow them access to the PCAny Server.

Hope this helps.
 
Upvote 0 Downvote
HI.

> When you say pcany / vpn are you saying create a public
> static on the pcany box and then just allow the
> appropriate port through
Yes.

> have a cable modem on there end behind a netgear FW.
> No static IP's
Still, they get an IP address from a predictable range of their ISP.
You can allow that range in your ACL to access the PCAW ports. Combining this with manual activation of PCAW only on demand, and PCAW built in authentication and other security features, I think this is good enough and best suites your specific scenario.

Yet another option is like in the older days - PCAW using dial up + authentication + callback, or similar.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
Here's an idea: You can disable the tunnel with two commands, and reenable it with one. Let's say you had a crypto map named &quot;test&quot; and your transform-set was named &quot;vpn&quot;. You could enter this command to disable:

no crypto map test 10 set transform-set vpn
clear crypto ipsec sa

The to re-enable it:

crypto map test 10 set transform-set vpn
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
294
Sameer258
Sameer258
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
371
Shmid
Shmid
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
309
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
303
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
128
gkittelson
gkittelson

Part and Inventory Search

Sponsor

Back
Top