Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

VPN and limiting internet access

Hello all, I am very new to VPN's and Firewalls so please forgive me for lack of terminology usage.

I am part of a company that has 20 internal PC's and 25 external sites (Convienient stores) that are all now being placed on a VPN. We purchased a ASA 5510 for the office and we are placing Linksys RV042 routers at the stores. What my question is, is that we have a few stores that need limited internet access because we have Subway restaurants there and they need to download and upload at times. What I dont want is to allow full access to the net because of the chance of outside attacks or viruses.

My question is, what can be done to set the VPN in place but only allow certain access to web addresses that we say is alright to have communication with?

Is this possible and / or what else needs to be purchased?

I thank you in advance for any help you can advise on.

JJ

2 REPLIES

Re: VPN and limiting internet access

What I would do is tunnel all traffic to your ASA, then use the ASA to perform URL filtering to control where they can web surf.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008088517b.shtml

Hope this helps.

Re: VPN and limiting internet access

Hi,

You may have a few simple options. You probably won't be able to configure url filtering on the linksys boxes, and depending on the way you have configured your VPN, you may not be able to url filter on the ASA either. If all traffic from the remote sites is traversing the VPN then try this on the ASA.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

This uses regular expressions to filter HTTP traffic based on specified HTTP traffic patterns.

Alternativly, you could just block all http outbound on the linsys boxes and have a permit rule for the indivdual addresses you need to allow.

i.e.

permit http 1.1.2.2

permit http 63.72.52.32

deny http all

I hope you get the idea here. Obviously you need to get the addresses of the individual websites for the second options. Pinging them usually does it.

HTH (Please rate if it does)

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful
194
Views
0
Helpful
2
Replies
CreatePlease to create content