cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4105
Views
0
Helpful
9
Replies

Access Rules for VPN tunnels

Brian Bergin
Level 4
Level 4

I have a customer that needs to create a VPN between to RB082's that would limit the remote site's access to certain devices (in this case telnet-based bar code scanners and IP printers) and from those devices to a single server on the host side.

The VPN setup is simple and was done in couple of minutes, but what I'm finding is even after setting up rules with LAN as the source and Any as the destination that the rules don't seem to affect tunnel traffic specifically.  I can block all traffic, but as soon as I open up say port 23 for telnet access from certain devices any device can access the remote side.

Any thoughts on adding a source and destination option of "VPN" to the options?

9 Replies 9

Steven DiStefano
VIP Alumni
VIP Alumni

The RV082 'DHCP Server' only supports one subnet, so even though we can do 'port based VLAN' segregation in the local LAN, as soon as you define that subnet as your local group to be shared in the tunnel, I am pretty sure all devices are fair game.

Having said that, when you do set up the tunnel, there is an option on the RV082 'Local Group Setup' and the 'Remote Group Setup' (these are usually the 'subnets' from each site to shared) that you can try.   Its called IP RANGE (instead of Subnet).  This lets you pick the hosts to be shared.  May require you to statically assign IPs to these clients.  Maybe put the devices you want to share at the high end of the range that the DHCP server wont get to, and share those as the IP Range.....

Make any sencs.

I hope I understood correctly?

I'll try that again, but if memory serves it said not defined as a valid host or something to that end.

One thing is we don't use the DHCP server from inside the 82's on most of our customers' networks as they use 2003 or 2008 Active Directory Servers which offer many more DHCP options.

Perhaps they can assign addressing per MAC address to accomplish the IP Range thing we discussed for the tunnel...

Not sure I follow.  Yes IPs can be assigned by MAC (e.g. DHCP reservation), but you don't want to have 2 DHCP servers on the same LAN and you really don't want to use DHCP servers that aren't AD aware and an AD network.

Not suggesting two DHCP servers.  Use yours if you have to.  Just make those devices that you dont want to be shared across the tunnel, have Ip address assignments beyond the range you specify in the tunnel config is what I am suggesing to try.  I havent done this myself, so its a suggestion at this point.

Will give that a try.

Steven DiStefano
VIP Alumni
VIP Alumni

BTW, we have a support community over here:

www.cisco.com/go/smallbizsupport where you may get more eyes.

This post has been moved to the Small Business Support community.

Cisco Moderation Team

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: