How to restrict VPN access to LAN with SA540?

Unanswered Question
Jan 7th, 2010
User Badges:

We recently purchased a Cisco SA 540 Security Appliance in order to have VPN access to our company network. The intent is to allow outside vendors specific access to a single server and lock them out of the rest of the network. SSL VPN tunnel is being used.

Setting up the VPN was a breeze, but we are having trouble restricting incoming traffic to the target server. The following things were done:

1. Set up a group for VPN access.

2. Define a network resource consisting of the server IP address.

3. Define a network resource consisting of the entire LAN (a.b.c.d/24).

4. Add a group policy permitting access to the server.

5. Add a group policy denying access to the LAN.

The problem is that after doing this, VPN users can still ping and connect to all systems on the LAN. There does not appear to be anything in the firewall settings that pertains to the VPN tunnel. What needs to be done to put an effective restriction in place? Thanks for any help with this!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joe B Danford Fri, 01/08/2010 - 05:55
User Badges:
  • Cisco Employee,

There are a few ways to do this depending on what you have configured. You can use dynamic access policies, proxy auth, egress access-controls lists for the vpn pool (use a sep pool for contractors) etc... One easy way is to use the VPN-Filter command as documented below. I would suggest you read the doc all the way through to understand how to use the feature.

carterbraxton Fri, 01/08/2010 - 11:32
User Badges:

This router is a new product and is completely web/GUI-based as far as setup. None of the normal recommendations for CLI-based Cisco routers apply to it as far as I can tell. I'm also running into problems getting telnet traffic through the tunnel, but that's a topic for another posting...


This Discussion

Related Content