Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
766
Views
4
Helpful
4
Replies

Client VPN and access rules

lfkentwell
Level 1
Level 1

‎03-06-2012 01:14 PM

I have a pretty simple question.  I am practicing my VPN client on an ASA setup.  I've got a succesful tunnel running between a VPN client on a windows machine and even from an iPad.Now that I can establish a tunnel do i need rules to actually allow and restrict traffic?  Can someone advise on what i need to do if I wanted to allow ping and http traffic only inbound ?

Thanks.

Labels:
0 Helpful
4 Replies 4

rizwanr74
Level 7
Level 7

‎03-06-2012 03:22 PM

You can restrict within allowed ip-segment on vpn-client using filter, so follow the link below for applying guideline.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

You can allow or disallow vpn-client use their own internet connection to surf the web by using split tunnel, so follow the line below for applying guideline, if you choose to not to apply split-tunnel, then remote vpn-client users will not have access to web browsing while connected to network.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

If you choose to allow remote-vpn client to browse the web via your corprate internet connection then you must nat the remote-client dhcp-pool to outside interface as shown below, assume remote vpn-client pool is "10.0.255.0 255.255.255.0"

nat (outside) 1 10.0.255.0 255.255.255.0

hope that answers your questions.

thanks

Rizwan Rafeek

0 Helpful

lfkentwell
Level 1
Level 1
In response to rizwanr74

‎03-06-2012 03:26 PM

Awesome that helps.  One last question.  Assumig I dont want to restric them incoming I want them to be able to access any host inside my network.  Do I need to create a rule or anykind to allow this incomign access or does the ASA just allow it?

Thanks,

0 Helpful

rizwanr74
Level 7
Level 7
In response to lfkentwell

‎03-06-2012 04:36 PM

"Assumig I dont want to restric them incoming I want them to be able to access any host inside my network.  Do I need to create a rule or anykind to allow this incomign access or does the ASA just allow it?"

Nat zero (otherwise known as no-nat) you apply on the inside interface paring with remote vpn-pool and internal network segment will be allow to access via remote-vpn client

access-list my-no-nat line 1 extended permit ip 192.168.1.0 255.255.255.0 10.0.255.0 255.255.255.0

nat (inside) 0 access-list my-no-nat

in the example shown above remote-vpn client coming on pool (i.e. 10.0.255.0 255.255.255.0) will be able to access resources inside the network segment 192.168.1.0 255.255.255.0.

if the remote vpn-client need to access more networks beside "192.168.1.0 255.255.255.0" then you need add those network on the ACL (my-no-nat) pair with  (i.e. 10.0.255.0 255.255.255.0)

rizwanr74
Level 7
Level 7
In response to lfkentwell

‎03-07-2012 06:42 PM

Please rate helpful post, so that the thread will be useful for someone else.

thanks

0 Helpful
Customers Also Viewed These Support Documents