cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1000
Views
0
Helpful
3
Replies

How to restrict VPN access to LAN with SA540?

carterbraxton
Level 1
Level 1

We recently purchased a Cisco SA 540 Security Appliance in order to have VPN access to our company network. The intent is to allow outside vendors specific access to a single server and lock them out of the rest of the network. SSL VPN tunnel is being used.

Setting up the VPN was a breeze, but we are having trouble restricting incoming traffic to the target server. The following things were done:

1. Set up a group for VPN access.

2. Define a network resource consisting of the server IP address.

3. Define a network resource consisting of the entire LAN (a.b.c.d/24).

4. Add a group policy permitting access to the server.

5. Add a group policy denying access to the LAN.

The problem is that after doing this, VPN users can still ping and connect to all systems on the LAN. There does not appear to be anything in the firewall settings that pertains to the VPN tunnel. What needs to be done to put an effective restriction in place? Thanks for any help with this!

3 Replies 3

Joe B Danford
Cisco Employee
Cisco Employee

There are a few ways to do this depending on what you have configured. You can use dynamic access policies, proxy auth, egress access-controls lists for the vpn pool (use a sep pool for contractors) etc... One easy way is to use the VPN-Filter command as documented below. I would suggest you read the doc all the way through to understand how to use the feature.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

This router is a new product and is completely web/GUI-based as far as setup. None of the normal recommendations for CLI-based Cisco routers apply to it as far as I can tell. I'm also running into problems getting telnet traffic through the tunnel, but that's a topic for another posting...

You are talking about the ASA 5540 right? This is a Cisco Firewall. You should be able to access the command line with either SSH or telnet. Here is how to set it up both via CLI and the GUI

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: