I have a pretty simple question. I am practicing my VPN client on an ASA setup. I've got a succesful tunnel running between a VPN client on a windows machine and even from an iPad.Now that I can establish a tunnel do i need rules to actually allow and restrict traffic? Can someone advise on what i need to do if I wanted to allow ping and http traffic only inbound ?
You can allow or disallow vpn-client use their own internet connection to surf the web by using split tunnel, so follow the line below for applying guideline, if you choose to not to apply split-tunnel, then remote vpn-client users will not have access to web browsing while connected to network.
If you choose to allow remote-vpn client to browse the web via your corprate internet connection then you must nat the remote-client dhcp-pool to outside interface as shown below, assume remote vpn-client pool is "10.0.255.0 255.255.255.0"
Awesome that helps. One last question. Assumig I dont want to restric them incoming I want them to be able to access any host inside my network. Do I need to create a rule or anykind to allow this incomign access or does the ASA just allow it?
"Assumig I dont want to restric them incoming I want them to be able to access any host inside my network. Do I need to create a rule or anykind to allow this incomign access or does the ASA just allow it?"
Nat zero (otherwise known as no-nat) you apply on the inside interface paring with remote vpn-pool and internal network segment will be allow to access via remote-vpn client
access-list my-no-nat line 1 extended permit ip 192.168.1.0 255.255.255.0 10.0.255.0 255.255.255.0
nat (inside) 0 access-list my-no-nat
in the example shown above remote-vpn client coming on pool (i.e. 10.0.255.0 255.255.255.0) will be able to access resources inside the network segment 192.168.1.0 255.255.255.0.
if the remote vpn-client need to access more networks beside "192.168.1.0 255.255.255.0" then you need add those network on the ACL (my-no-nat) pair with (i.e. 10.0.255.0 255.255.255.0)
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...