I'm brand new to the VPN world. I have a VPN 3005 Concentrator setup. I do get a sucessfull connection and can access all our services of our network like I was at work. My next step was to limit access so a user could only connect to services via using Microsofts remote desktop and a Win2k Server running the admin Terminal Services. We don't have a fully intergrated Win2k AD yet before anyone asks.
Anyway I attempted to limit people to connect via Terminal servers by creating 2 rules one inbound and one outbound and then creating the filter. I have set the filter to drop and log traffic that doesn't find a match in the filter. However, the rules I wrote to allow traffic through TCP port 3389 do not work... I'm stuck.
My question is this, where is the Filter I create for a VPN group applied. Inside interface or outside interface? Does anybody have any experiance with this that they can share? Even a simple rule that only allows FTP will allow to figure out how this works so I can better understand how to create my own rules.
You can apply a filter directly to a group, this is much better than applying it to an interface, leave those alone.
To allow users to get to TCP/3389 on say, 10.1.1.1, do the following:
Create a rule (under Config - Policy Mgmt - Traffic Mgmt - Rules) that is Inbound/Forward, Source of Anything, Destination of 10.1.1.1/0.0.0.0, TCP/3389.
Create another rule, call it Drop All, it can be left at the defaults which is Inbound, Drop, Source of anything, Dest of anything.
Create a filter (under Config - Policy Mgmt - Traffic Mgmt - Filters) with default action of forward and add both your new rules to it, making sure the rule that allows access to the host 10.1.1.1 is ABOVE the default rule that will drop everything else.
Modify the group and under the General tab, apply the filter here. Save and Apply changes.
If you want to allow further traffic, just add more Rules and then apply them to the Filter, just make sure the new rules are always placed ABOVE the Drop All rule, since they're read from top down.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...