restricting vpn traffic to DMZ host/port 1

[br0ck]

I need to let some one on our

http://www server

in the dmz via rdp with the cisco vpn client

i set a vpn group for him and i am trying to only grant him access to port 80,443 and 3389 on the server.


The access lists im using are as follows

access-list nonat permit ip 192.168.10.0 255.255.255.0 192.168.36.0 255.255.255.0
this works but allows everything….. not what I want

so I attempted to tighten the acl to

access-list nonat permit tcp host 192.168.10.100 192.168.36.0 255.255.255.0 eq 3389

nata now no traffic will flow

any ideas?!

 

[br0ck]

nobody!?

 

[horus42]

The above access rule doesn't control or filter the traffic it only disables NAT for the VPN traffic and that is how you can access the servers using their private IP, you need to remove the "sysopt connection permit-ipsec" command and then control the traffic with whatever ACL that's applied to the outside interface


Hope that helps

 

[br0ck]

Thank you sir,
That was what i was looking for!