Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Filter to allow Internet through VPN

Using a VPN3005, our VPN Clients use Groups to establish the VPN Tunnel to the 3005. We use Filters on those Groups to control which servers they can access (ie. E-Mail, Intranet, File Storage, etc.).

Usually at the end of our list of "permitted" server rules we will have a "deny all servers" rule to prevent access to all other servers and subnets that are not specifically permitted by previous rules.

Unfortunately, this also prevents them from accessing the Internet while connected to the VPN (we don't allow split tunneling).

If we do not apply any filters to the Group (Like for IT Support), traffic to the Internet goes out the Data Center connection. This is what I want for everyone, but I must put filters to restrict access to certain servers (i.e. Accounting, HR, etc..).

What rule do I need to allow VPN clients to access the Internet using our Data Center connection while connected via VPN? I'm sure it is something simple, but I just don't see it....

Thanks in advance for any suggestions or comments!

New Member

Re: Filter to allow Internet through VPN

In the first place, deny all servers may not be a good principle, i guess...


Re: Filter to allow Internet through VPN

What does the deny all servers rule look like? What part of it is blocking net access? Is it blocking dns resolution or web proxy access?

New Member

Re: Filter to allow Internet through VPN

Well, the entire filter consists of a number of rules that allow traffic to individual servers including DNS, DHCP, Email, File Shares, etc.. (all the things that a user would need to get to).

At the end is a rule that basically says deny any traffic to anything. That is extreme, but when I put it together it seemed to me that the rules would be processed in order much like Cisco ACLs.

Therefore, users would get to servers and services they needed because those "permit" lists were at the top. If they were trying to go to a server that was not permitted, then the "deny all" rule would keep them from accessing other servers.

Obviously, this also blocks any web-bound traffic (and I understand this). I am looking for a specific rule that would allow traffic to the web that could be inserted before the "deny all servers" rule.

New Member

Re: Filter to allow Internet through VPN

Just create a rule in the filter that denies all traffic to your internal subnets and then a rule right under that which will permit traffic to anywhere.

New Member

Re: Filter to allow Internet through VPN

Thanks for your suggestion. I have tried it and that works just fine. Thank you very much for your help!