We recently purchased a Cisco SA 540 Security Appliance in order to have VPN access to our company network. The intent is to allow outside vendors specific access to a single server and lock them out of the rest of the network. SSL VPN tunnel is being used.
Setting up the VPN was a breeze, but we are having trouble restricting incoming traffic to the target server. The following things were done:
1. Set up a group for VPN access.
2. Define a network resource consisting of the server IP address.
3. Define a network resource consisting of the entire LAN (a.b.c.d/24).
4. Add a group policy permitting access to the server.
5. Add a group policy denying access to the LAN.
The problem is that after doing this, VPN users can still ping and connect to all systems on the LAN. There does not appear to be anything in the firewall settings that pertains to the VPN tunnel. What needs to be done to put an effective restriction in place? Thanks for any help with this!
There are a few ways to do this depending on what you have configured. You can use dynamic access policies, proxy auth, egress access-controls lists for the vpn pool (use a sep pool for contractors) etc... One easy way is to use the VPN-Filter command as documented below. I would suggest you read the doc all the way through to understand how to use the feature.
This router is a new product and is completely web/GUI-based as far as setup. None of the normal recommendations for CLI-based Cisco routers apply to it as far as I can tell. I'm also running into problems getting telnet traffic through the tunnel, but that's a topic for another posting...
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...