Security issue within the VPN

- G
- GREGTAP
  
  Contact options for registered users
posted
17 years ago

Wed, Sep 20, 2006 3:16 PM

Hi there,

I want use a VPN connection to let certain customers access a server in my DMZ. I'm using a PIX firewall as VPN server and CISCO VPN client to connect. I have several servers in the DMZ. My question is how can I restrict the customer's access to the other servers. In my tests when the VPN is established i can ping the other servers as well. Also i can connect the other servers and explorer the hard drive, of course i need to login first. I want connection only restricted to that one particular server.

Any suggestions?

Thanks Greg

- B
- Brian V
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Wed, Sep 20, 2006 10:50 PM

build a "vendor" group and only permit it to that device.

- J
- john smith
  
  Contact options for registered users
Vote on answer
posted
17 years ago

Thu, Sep 21, 2006 12:26 AM

another option: make sure the "sysopt connection permit-ipsec" command is NOT in your pix... then all vpn users must still pass through your outside ACL... you can define a simple statement in your acl to only permit them to talk to that one server.

(that command is slightly different in 7.x)

eg: if your vpn users are given addresses from 192.168.255.x access-list outside_acl permit ip 192.168.255.0 255.255.255.0 host

192.168.1.5 255.255.255.255 (where 192.168.1.5 is your server) make sense?