Re: How to restrict VPN clients to access certain network device
There are two methods which can be combined, assuming you're using the Cisco VPN client.
1. Enable split tunneling. It will tell the clients what should be sent over the tunnel and what shouldn't. Only include in the split tunnel lists what you want clients to connect to.
2. Create filters on the VPN concentrator for the VPN group that only allows access to what you would like. Create the rules/filters under "Policy Management" and them apply them to the group on the "General" tab using the "Filters" drop down box.
I recommend using both. This means all internal networks should be defined in the split-tunnel and go across the VPN session. Use the filters to deny what you don't want at the concentrator. This will prevent your VPN clients from sending traffic meant for the internal network out to the Internet instead. You don't want any traffic like meant for internal networks inadvertently going out to the Internet in clear-text.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...