Re: EasyVPN Access-List for Ports from GULAM KAREEMUDDIN KHAN on 2010-01-25 (Ccielab archives 01/2010)

From: GULAM KAREEMUDDIN KHAN <gkareemk_at_gmail.com>
Date: Mon, 25 Jan 2010 13:52:28 +0300

Hi Farrukh & Piotr,

Thanks for your reply.

Okay I understand that I can use outbound ACL on inside interface.
Alternately can I use Centralized Protection Policy (CPP)? If yes, which one
would be more appropriate?
if you can provide config example to CPP for Cisco VPN client..
BR

Gulam

On Sun, Jan 24, 2010 at 10:54 PM, Piotr Matusiak <piotr_at_ccie1.com> wrote:

> Hi Gulam,
>
> Just after Farrukh answer, I've realized that I misunderstood your
> question.
> If you want to filter user's traffic after establishing RA VPN, the
> solution provided by Farrukh is right. Just use an ACL in the outbound
> direction on the inside interface (not the outside interface as there is
> bypass by default for VPN traffic).
>
> Another solution could be modifying ACL for Split-tunneling.
>
> HTH,
> --
> Piotr Matusiak
> CCIE #19860 (R&S, Security)
> Technical Instructor
> website: www.MicronicsTraining.com <http://www.micronicstraining.com/>
>
> If you can't explain it simply, you don't understand it well enough -
> Albert Einstein
>
>
> 2010/1/24 Farrukh Haroon <farrukhharoon_at_gmail.com>
>
> Hello Ghulam
>>
>> You can make an access-list on the inside interface of the EZVPN server.
>> E.g. an ACL in the outbound direction will be something like:
>>
>> access-list ... <source-ip-will-be-vpn-ip-pool>
>> <destination-local-resource-behind-ezvpn-server>
>>
>> Regards
>>
>> Farrukh
>>
>> On Sun, Jan 24, 2010 at 1:40 PM, GULAM KAREEMUDDIN KHAN
>> <gkareemk_at_gmail.com>wrote:
>>
>> > Dear Experts,
>> >
>> > I have configured IOS-to-VPN Client (easy-vpn) and able to access server
>> > successfully from the client, I need to apply the access-list for VPN
>> > clients to allow only particular ports to be accessed from the client.
>> >
>> > Thanking you.
>> >
>> > BR
>> > Gulm Kareem
>> >
>> >
>> > Blogs and organic groups at http://www.ccie.net
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Jan 25 2010 - 13:52:28 ART

This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 20:28:42 ART