Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access Rules for VPN tunnels

I have a customer that needs to create a VPN between to RB082's that would limit the remote site's access to certain devices (in this case telnet-based bar code scanners and IP printers) and from those devices to a single server on the host side.

The VPN setup is simple and was done in couple of minutes, but what I'm finding is even after setting up rules with LAN as the source and Any as the destination that the rules don't seem to affect tunnel traffic specifically.  I can block all traffic, but as soon as I open up say port 23 for telnet access from certain devices any device can access the remote side.

Any thoughts on adding a source and destination option of "VPN" to the options?

Everyone's tags (3)
9 REPLIES

Re: Access Rules for VPN tunnels

The RV082 'DHCP Server' only supports one subnet, so even though we can do 'port based VLAN' segregation in the local LAN, as soon as you define that subnet as your local group to be shared in the tunnel, I am pretty sure all devices are fair game.

Having said that, when you do set up the tunnel, there is an option on the RV082 'Local Group Setup' and the 'Remote Group Setup' (these are usually the 'subnets' from each site to shared) that you can try.   Its called IP RANGE (instead of Subnet).  This lets you pick the hosts to be shared.  May require you to statically assign IPs to these clients.  Maybe put the devices you want to share at the high end of the range that the DHCP server wont get to, and share those as the IP Range.....

Make any sencs.

I hope I understood correctly?

New Member

Re: Access Rules for VPN tunnels

I'll try that again, but if memory serves it said not defined as a valid host or something to that end.

New Member

Re: Access Rules for VPN tunnels

One thing is we don't use the DHCP server from inside the 82's on most of our customers' networks as they use 2003 or 2008 Active Directory Servers which offer many more DHCP options.

Re: Access Rules for VPN tunnels

Perhaps they can assign addressing per MAC address to accomplish the IP Range thing we discussed for the tunnel...

New Member

Re: Access Rules for VPN tunnels

Not sure I follow.  Yes IPs can be assigned by MAC (e.g. DHCP reservation), but you don't want to have 2 DHCP servers on the same LAN and you really don't want to use DHCP servers that aren't AD aware and an AD network.

Re: Access Rules for VPN tunnels

Not suggesting two DHCP servers.  Use yours if you have to.  Just make those devices that you dont want to be shared across the tunnel, have Ip address assignments beyond the range you specify in the tunnel config is what I am suggesing to try.  I havent done this myself, so its a suggestion at this point.

New Member

Re: Access Rules for VPN tunnels

Will give that a try.

Re: Access Rules for VPN tunnels

BTW, we have a support community over here:

www.cisco.com/go/smallbizsupport where you may get more eyes.

New Member

Re: Access Rules for VPN tunnels

This post has been moved to the Small Business Support community.

Cisco Moderation Team

3003
Views
0
Helpful
9
Replies