Cisco VPN and Access-list ?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
Ammad Shah's Avatar (by Gravatar) posted on
November 2, 2008, 6:38 pm
rate this thread
Reply to this post Reply Tag this thread to save it in your account Save Printer-friendly version of this post Print
Dear All,

I am using Remote-vpn to connect work place. but i want to limit that
user to be able to access only
two server 172.16.10.45 and 172.16.10.46 (web/80) . for that i created
acl but its not working,
i can access all services on these system.
My wan interface is  fa0 ,  and when i connect to work place , pool
assigns me ip address  192.168.81.10.
 ACL implemnented on  FA0 in. where as servers are on fa1.1 (vlan 1).


ip access-list extended webout
 permit tcp any 192.168.81.0 0.0.0.255 established
 permit tcp 192.168.81.0 0.0.0.255 host 172.16.10.45 eq www
 permit tcp 192.168.81.0 0.0.0.255 host 172.16.10.45 eq 8080
 permit tcp 192.168.81.0 0.0.0.255 host 172.16.10.46 eq www
 permit tcp 192.168.81.0 0.0.0.255 host 172.16.10.46 range 8080 8099
 permit tcp 192.168.81.0 0.0.0.255 host 172.16.10.46 range 3380 3390
 deny ip any any


where is the problem ?


 
P.S's Avatar (by Gravatar) posted on
November 4, 2008, 5:29 pm
Permalink
Reply to this post Reply Tag this thread to save it in your account Save Printer-friendly version of this post Print
Re: Cisco VPN and Access-list ?
Hi,


the established keyword, doesnt' tear down existing connections however,
so did you reconnect AFTER you applied the list to see if it worked or not ?

also maybe its applied in the wrong direction, or to the wrong interface...

one other thing that I am a bit uncomfortable with is the range keyword
used for ports.

I haven't used the ACLs in a while, and CISCO's site, only shows the
time-range command,

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml#ipnamacl




Ammad Shah wrote:
Quoted text here. Click to load it


 

Site Timeline