Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

OS X server VPN question. Restricting LAN access.

P

paulpet

macrumors member
Original poster
Sep 7, 2006
59
9
Hello,

I'm playing around with OS X server VPN and was wondering if there is any way to restrict access to only certain IP address (even better to specific ports)?

Clients connect to say 192.168.1.0/24 and I only want them to be able to access an internal web server at 192.168.1.100 and nothing else on the subnet.

Any ideas on the best way to achieve this? Could I use the built in firewall with OS X server?

..or should I have the client VPN network be on a different subnet (eg. 192.168.2.0/24) and then have an intermediate router/firewall take care of restricting access?

Any suggestions/examples would be greatly appreciated!

Thanks!
-Paul
 
belvdr said:
Every VPN service I have ever configure has had the ability to restrict access. Even more to the point, a Cisco ASA can allow different access for different users.

10 seconds with Google, and guess what I found:

http://www.peachpit.com/articles/article.aspx?p=680900&seqNum=4
Click to expand...

Thanks for the response, I'd already read that, but it's not what I'm after. That article seems to be showing how to restrict certain users from establishing a connection to the VPN service.

I'm trying to restrict access to only certain network addresses once a user connects to the OS X server VPN.


Thanks.
-Paul
 
:)

Thanks, I'd already tried/read that as well. For the record I'm using OS X server 10.5.

A network routing definition does seem like the way to go, but for the life of me I cannot get it to restrict to a single IP address, even when I use a /32 network mask.

192.168.1.100/255.255.255.255 Private providse no access at all to anything.

192.168.1.100/255.255.255.255 Public provided access, but to all machines on the /24 subnet.

I'm using an iPhone to test the connectivity from outside the network, and I'm starting to wonder if maybe it's a quirk with the VPN client.
 
Could be, but you may also need to add in the external and internal IPs of the VPN server.
 
Success!

So I just wanted to follow up with this to say that I have things working in an acceptable way.

I basically did what extrachripsy suggested and created a separate subnet for the VPN pool of addresses, and also on that same (VPN) server I enabled the firewall with rules to prevent access to the main LAN except for the intranet server.

Thanks for the responses and suggestions!

-Paul
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back