03-06-2012 01:14 PM
I have a pretty simple question. I am practicing my VPN client on an ASA setup. I've got a succesful tunnel running between a VPN client on a windows machine and even from an iPad.Now that I can establish a tunnel do i need rules to actually allow and restrict traffic? Can someone advise on what i need to do if I wanted to allow ping and http traffic only inbound ?
Thanks.
03-06-2012 03:22 PM
You can restrict within allowed ip-segment on vpn-client using filter, so follow the link below for applying guideline.
You can allow or disallow vpn-client use their own internet connection to surf the web by using split tunnel, so follow the line below for applying guideline, if you choose to not to apply split-tunnel, then remote vpn-client users will not have access to web browsing while connected to network.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml
If you choose to allow remote-vpn client to browse the web via your corprate internet connection then you must nat the remote-client dhcp-pool to outside interface as shown below, assume remote vpn-client pool is "10.0.255.0 255.255.255.0"
nat (outside) 1 10.0.255.0 255.255.255.0
hope that answers your questions.
thanks
Rizwan Rafeek
03-06-2012 03:26 PM
Awesome that helps. One last question. Assumig I dont want to restric them incoming I want them to be able to access any host inside my network. Do I need to create a rule or anykind to allow this incomign access or does the ASA just allow it?
Thanks,
03-06-2012 04:36 PM
"Assumig I dont want to restric them incoming I want them to be able to access any host inside my network. Do I need to create a rule or anykind to allow this incomign access or does the ASA just allow it?"
Nat zero (otherwise known as no-nat) you apply on the inside interface paring with remote vpn-pool and internal network segment will be allow to access via remote-vpn client
access-list my-no-nat line 1 extended permit ip 192.168.1.0 255.255.255.0 10.0.255.0 255.255.255.0
nat (inside) 0 access-list my-no-nat
in the example shown above remote-vpn client coming on pool (i.e. 10.0.255.0 255.255.255.0) will be able to access resources inside the network segment 192.168.1.0 255.255.255.0.
if the remote vpn-client need to access more networks beside "192.168.1.0 255.255.255.0" then you need add those network on the ACL (my-no-nat) pair with (i.e. 10.0.255.0 255.255.255.0)
03-07-2012 06:42 PM
Please rate helpful post, so that the thread will be useful for someone else.
thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide