Access Rules for VPN tunnels

Unanswered Question
Apr 2nd, 2009

I have a customer that needs to create a VPN between to RB082's that would limit the remote site's access to certain devices (in this case telnet-based bar code scanners and IP printers) and from those devices to a single server on the host side.

The VPN setup is simple and was done in couple of minutes, but what I'm finding is even after setting up rules with LAN as the source and Any as the destination that the rules don't seem to affect tunnel traffic specifically.  I can block all traffic, but as soon as I open up say port 23 for telnet access from certain devices any device can access the remote side.

Any thoughts on adding a source and destination option of "VPN" to the options?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Steven DiStefano Thu, 04/02/2009 - 09:11

The RV082 'DHCP Server' only supports one subnet, so even though we can do 'port based VLAN' segregation in the local LAN, as soon as you define that subnet as your local group to be shared in the tunnel, I am pretty sure all devices are fair game.

Having said that, when you do set up the tunnel, there is an option on the RV082 'Local Group Setup' and the 'Remote Group Setup' (these are usually the 'subnets' from each site to shared) that you can try.   Its called IP RANGE (instead of Subnet).  This lets you pick the hosts to be shared.  May require you to statically assign IPs to these clients.  Maybe put the devices you want to share at the high end of the range that the DHCP server wont get to, and share those as the IP Range.....

Make any sencs.

I hope I understood correctly?

Brian Bergin Thu, 04/02/2009 - 11:43

I'll try that again, but if memory serves it said not defined as a valid host or something to that end.

Brian Bergin Thu, 04/02/2009 - 17:56

One thing is we don't use the DHCP server from inside the 82's on most of our customers' networks as they use 2003 or 2008 Active Directory Servers which offer many more DHCP options.

Steven DiStefano Thu, 04/02/2009 - 18:04

Perhaps they can assign addressing per MAC address to accomplish the IP Range thing we discussed for the tunnel...

Brian Bergin Thu, 04/02/2009 - 18:18

Not sure I follow.  Yes IPs can be assigned by MAC (e.g. DHCP reservation), but you don't want to have 2 DHCP servers on the same LAN and you really don't want to use DHCP servers that aren't AD aware and an AD network.

Steven DiStefano Thu, 04/02/2009 - 18:25

Not suggesting two DHCP servers.  Use yours if you have to.  Just make those devices that you dont want to be shared across the tunnel, have Ip address assignments beyond the range you specify in the tunnel config is what I am suggesing to try.  I havent done this myself, so its a suggestion at this point.

Moderator Thu, 04/02/2009 - 12:21

This post has been moved to the Small Business Support community.

Cisco Moderation Team