1. Home
  2. Cisco Systems
  3. Can't deny access between two groups of Easy VPN Server users

Can't deny access between two groups of Easy VPN Server users

Hi,

I have a problem with my Easy VPN Server in that I want to prohibit two groups of users from knowing the other exists (via ACLs). I have observed the following behaviour:

From a 11.4 host 10.3.0.1 can be reached, but not any 10.3 host (ACL works partially) >From a 11.2 host 10.4.0.1 can be reached, but not any 10.4 host (ACL works partially) >From a 11.4 host any 11.2 host can be reached (full ACL bypass) >From a 11.2 host any 11.4 host can be reached (full ACL bypass)

Cisco IOS Software, 2801 Software (C2801-ADVSECURITYK9-M), Version

12.3(8)T5, RELEASE SOFTWARE (fc2)

config excerpts below:

! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 3 encr 3des group 2 ! crypto isakmp client configuration group UserGroup1 key test123 pool SDM_POOL_1 access-restrict FastEthernet0/1.1 include-local-lan ! crypto isakmp client configuration group UserGroup2 key test123 pool SDM_POOL_2 access-restrict FastEthernet0/1.2 include-local-lan ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route ! crypto dynamic-map SDM_DYNMAP_2 1 set transform-set ESP-3DES-SHA1 reverse-route ! ! crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_2 crypto map SDM_CMAP_2 client configuration address respond crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2 ! ! interface FastEthernet0/1 no ip address no ip redirects no ip proxy-arp no ip unreachables speed 100 full-duplex no cdp enable no mop enabled ! ! interface FastEthernet0/1.1 encapsulation dot1Q 24 ip address 10.3.0.1 255.255.0.0 ip access-group 101 in ip access-group 101 out no cdp enable crypto map SDM_CMAP_1 ! interface FastEthernet0/1.2 encapsulation dot1Q 49 ip address 10.4.0.1 255.255.0.0 ip access-group 101 in ip access-group 101 out no cdp enable crypto map SDM_CMAP_2 ! ip local pool SDM_POOL_1 11.2.0.1 11.2.0.10 ip local pool SDM_POOL_2 11.4.0.1 11.4.0.10 ! access-list 101 remark SDM_ACL Category=1 access-list 101 deny ip 10.4.0.0 0.0.255.255 10.3.0.0 0.0.255.255 access-list 101 deny ip 10.4.0.0 0.0.255.255 11.2.0.0 0.0.255.255 access-list 101 deny ip 10.3.0.0 0.0.255.255 10.4.0.0 0.0.255.255 access-list 101 deny ip 10.3.0.0 0.0.255.255 11.4.0.0 0.0.255.255 access-list 101 deny ip 11.4.0.0 0.0.255.255 10.3.0.0 0.0.255.255 access-list 101 deny ip 11.2.0.0 0.0.255.255 10.4.0.0 0.0.255.255 access-list 101 deny ip 11.4.0.0 0.0.255.255 11.2.0.0 0.0.255.255 access-list 101 deny ip 11.2.0.0 0.0.255.255 11.4.0.0 0.0.255.255 access-list 101 permit ip any any !

Thanks,

Reply to
DataSquid
Loading thread data ...

Hi,

I was able to find the information I needed to solve the problem here:

formatting link
In specific, I added "ip access-group 101 in" and "ip access-group 101 out" to each "crypto dynamic-map" section.

Reply to
DataSquid

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.