Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
468
Views
3
Helpful
5
Replies

VPNC - filters on the local LAN segment?

teodorgeorgiev
Level 4
Level 4

‎08-28-2006 03:39 AM - edited ‎03-09-2019 04:01 PM

Hi list,

I have the following issue:

* VPNC 3000

* Different customer groups (A, B, C).

All of them get IP addresses from several pools. The problem is that I have only one default gateway for all the tunelled users. Which messes my plans.

Is there a way to assign different default gateway to each group of tunelled users?

Or another question...

Since I have the same default gateway for all the users, if I put them in the same IP pool (like 172.16.30.0/24) can I apply filters that will block traffic in the local segment "before" the default gateway?

Labels:
0 Helpful
5 Replies 5

mmasha
Level 1
Level 1

‎08-28-2006 09:51 AM

You can do it with PBR(PolicyBasedRouting) but if you have 3 class /24 ip addresses and such your fa0 ip address is 172.16.30.1 , then if your provider route all of your 3 class to this IP , your problem has solved and you dont need to do PBR. and with one defualt gateway you can handle it

puagarwa
Level 1
Level 1

‎08-28-2006 12:59 PM

you can filter the traffic on the 3000 itself.

go to Configuration | Policy Management | Traffic Management | Rules, define rules for specific traffic which you wanna allow.

then go to Configuration | Policy Management | Traffic Management | Filters and define a new filter and assign the new rule to the filter.

lastly go to Configuration | User Management | Groups and highlight the group for vpn clients and modify it. under general tab you have an option for filter, apply the newly created filter in it.

i hope this answers your question.

teodorgeorgiev
Level 4
Level 4
In response to puagarwa

‎08-29-2006 02:30 AM

Hi,

I am aware of how to configure Rules and Filters, however:

* Lets suppose my customers are assigned IP addresses from 192.168.30.2-254.

The default gateway is 192.168.30.1

So, I will apply a filter. But my experience shows that this filter can not restrict traffic going / coming to/from IP addresses from the same 192.168.30/24 subnet :(

if it works, then all my problems are solved.

Regarding the previous post --> yes, I can do all the three groups to be assigned IP addresses from the same subnet and then all they will use the same default gateway.

But then, I need to apply filters in order to assign them different access policy, and looks will it does not work for local addresses :(

puagarwa
Level 1
Level 1
In response to teodorgeorgiev

‎08-29-2006 08:08 AM

i am not sure which default gateway you are talking about (the ip 192.168.30.1) is this a router behind the vpn 3000? could you please be more clear about which default gateway you are talking about??

I have applied the filter on the group N number of times and it always restrict the traffic coming from the vpn clients according to the filter rules.

0 Helpful

martindesrosiers
Level 1
Level 1
In response to puagarwa

‎08-31-2006 04:37 AM

Have you tried the Network List instead of Filters or with the filters. CVPN will send route localy to the node. It is like the ROUTE ADD command in Dos shell. The traffic wont be send on your CVPN if your destination network is not in it. If you want the traffic being pass through your CVPN, just add the network you want in the Network List

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents