Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Client VPN and access rules

I have a pretty simple question.  I am practicing my VPN client on an ASA setup.  I've got a succesful tunnel running between a VPN client on a windows machine and even from an iPad.Now that I can establish a tunnel do i need rules to actually allow and restrict traffic?  Can someone advise on what i need to do if I wanted to allow ping and http traffic only inbound ?

Thanks.

4 REPLIES

Re: Client VPN and access rules

You can restrict within allowed ip-segment on vpn-client using filter, so follow the link below for applying guideline.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

You can allow or disallow vpn-client use their own internet connection to surf the web by using split tunnel, so follow the line below for applying guideline, if you choose to not to apply split-tunnel, then remote vpn-client users will not have access to web browsing while connected to network.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

If you choose to allow remote-vpn client to browse the web via your corprate internet connection then you must nat the remote-client dhcp-pool to outside interface as shown below, assume remote vpn-client pool is "10.0.255.0 255.255.255.0"

nat (outside) 1 10.0.255.0 255.255.255.0

hope that answers your questions.

thanks

Rizwan Rafeek

Community Member

Client VPN and access rules

Awesome that helps.  One last question.  Assumig I dont want to restric them incoming I want them to be able to access any host inside my network.  Do I need to create a rule or anykind to allow this incomign access or does the ASA just allow it?

Thanks,

Re: Client VPN and access rules

"Assumig I dont want to restric them incoming I want them to be able to access any host inside my network.  Do I need to create a rule or anykind to allow this incomign access or does the ASA just allow it?"

Nat zero (otherwise known as no-nat) you apply on the inside interface paring with remote vpn-pool and internal network segment will be allow to access via remote-vpn client

access-list my-no-nat line 1 extended permit ip 192.168.1.0 255.255.255.0 10.0.255.0 255.255.255.0

nat (inside) 0 access-list my-no-nat

in the example shown above remote-vpn client coming on pool (i.e. 10.0.255.0 255.255.255.0) will be able to access resources inside the network segment 192.168.1.0 255.255.255.0.

if the remote vpn-client need to access more networks beside "192.168.1.0 255.255.255.0" then you need add those network on the ACL (my-no-nat) pair with  (i.e. 10.0.255.0 255.255.255.0)

Re: Client VPN and access rules

Please rate helpful post, so that the thread will be useful for someone else.

thanks

365
Views
4
Helpful
4
Replies
CreatePlease to create content