Can't deny access between two groups of Easy VPN Server users

Can't deny access between two groups of Easy VPN Server users: Posted by DataSquid on June 16th, 2005; Hi,

I have a problem with my Easy VPN Server in that I want to prohibit two
groups of users from knowing the other exists (via ACLs). I have
observed the following behaviour:

Cisco IOS Software, 2801 Software (C2801-ADVSECURITYK9-M), Version
12.3(8)T5, RELEASE SOFTWARE (fc2)

config excerpts below:

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
group 2
!
crypto isakmp client configuration group UserGroup1
key test123
pool SDM_POOL_1
access-restrict FastEthernet0/1.1
include-local-lan
!
crypto isakmp client configuration group UserGroup2
key test123
pool SDM_POOL_2
access-restrict FastEthernet0/1.2
include-local-lan
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
crypto dynamic-map SDM_DYNMAP_2 1
set transform-set ESP-3DES-SHA1
reverse-route
!
!
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
crypto map SDM_CMAP_2 isakmp authorization list sdm_vpn_group_ml_2
crypto map SDM_CMAP_2 client configuration address respond
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
!
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip proxy-arp
no ip unreachables
speed 100
full-duplex
no cdp enable
no mop enabled
!
!
interface FastEthernet0/1.1
encapsulation dot1Q 24
ip address 10.3.0.1 255.255.0.0
ip access-group 101 in
ip access-group 101 out
no cdp enable
crypto map SDM_CMAP_1
!
interface FastEthernet0/1.2
encapsulation dot1Q 49
ip address 10.4.0.1 255.255.0.0
ip access-group 101 in
ip access-group 101 out
no cdp enable
crypto map SDM_CMAP_2
!
ip local pool SDM_POOL_1 11.2.0.1 11.2.0.10
ip local pool SDM_POOL_2 11.4.0.1 11.4.0.10
!
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 10.4.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 101 deny ip 10.4.0.0 0.0.255.255 11.2.0.0 0.0.255.255
access-list 101 deny ip 10.3.0.0 0.0.255.255 10.4.0.0 0.0.255.255
access-list 101 deny ip 10.3.0.0 0.0.255.255 11.4.0.0 0.0.255.255
access-list 101 deny ip 11.4.0.0 0.0.255.255 10.3.0.0 0.0.255.255
access-list 101 deny ip 11.2.0.0 0.0.255.255 10.4.0.0 0.0.255.255
access-list 101 deny ip 11.4.0.0 0.0.255.255 11.2.0.0 0.0.255.255
access-list 101 deny ip 11.2.0.0 0.0.255.255 11.4.0.0 0.0.255.255
access-list 101 permit ip any any
!

Thanks,

--
Dan; Posted by DataSquid on June 17th, 2005; Hi,

I was able to find the information I needed to solve the problem here:
http://www.cisco.com/en/US/products/...08022c2a5.html

In specific, I added "ip access-group 101 in" and "ip access-group 101
out" to each "crypto dynamic-map" section.

Similar Posts

Remote users can't connect to Access file on server (Microsoft Windows) by Jade5
Restricting internet access completely to users/groups (Security & Administration) by eclipsed
Solved - how to deny access to folders for certain users in Windows XP (Basics) by Tom
Re: Local users and groups cannot access computer (Security & Administration) by ajimoh
Local Users and Groups snap-in dependent on 'Server' and 'Workstat (Security & Administration) by redxii