Cisco Support Community
Community Member

how to avoid vpn client to access all the lan ?

it seems that when a remote user connect by VPN to the corporate LAN, he can access to all computer and all server. I try to apply an access-list to inside interface, but it doesnt work. how can avoid vpn remote user to connect on specific server ?


Cisco Employee

Re: how to avoid vpn client to access all the lan ?

You have to create rules that only allow access to specified boxes, then apply those rules to a filter, then apply that filter to that user. Go under the Confioguration - Policy Mgmt - Traffic Mgmt section and then do the following:

To allow access to and block everything else:

To block access to everything but, create a rule that is Inbound/Forward, Source of Anything, Destination of Create another rule, it can be left at the defaults which is Inbound, Drop, Source of anything, Dest of anything. Create a filter with default action of forward and add both your new rules to it, making sure the rule that allows access to the host 10.1.12 is ABOVE the default rule that will drop everything else.

To block access to and allow everything else:

To allow access to everything except, create a rule that says Inbound, Drop, Source of anything and Destination of Add a filter who's default action is to forward, and add the rule to that filter.


- You can allow or block access to whole subnets simply by changing your address/mask combination to something like:

Now go under the User Management section and apply that filter to the Group or User section under the General tab.

CreatePlease to create content