Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to restrict VPN access to LAN with SA540?

We recently purchased a Cisco SA 540 Security Appliance in order to have VPN access to our company network. The intent is to allow outside vendors specific access to a single server and lock them out of the rest of the network. SSL VPN tunnel is being used.

Setting up the VPN was a breeze, but we are having trouble restricting incoming traffic to the target server. The following things were done:

1. Set up a group for VPN access.

2. Define a network resource consisting of the server IP address.

3. Define a network resource consisting of the entire LAN (a.b.c.d/24).

4. Add a group policy permitting access to the server.

5. Add a group policy denying access to the LAN.

The problem is that after doing this, VPN users can still ping and connect to all systems on the LAN. There does not appear to be anything in the firewall settings that pertains to the VPN tunnel. What needs to be done to put an effective restriction in place? Thanks for any help with this!

Everyone's tags (1)
3 REPLIES
Cisco Employee

Re: How to restrict VPN access to LAN with SA540?

There are a few ways to do this depending on what you have configured. You can use dynamic access policies, proxy auth, egress access-controls lists for the vpn pool (use a sep pool for contractors) etc... One easy way is to use the VPN-Filter command as documented below. I would suggest you read the doc all the way through to understand how to use the feature.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

New Member

Re: How to restrict VPN access to LAN with SA540?

This router is a new product and is completely web/GUI-based as far as setup. None of the normal recommendations for CLI-based Cisco routers apply to it as far as I can tell. I'm also running into problems getting telnet traffic through the tunnel, but that's a topic for another posting...

Cisco Employee

Re: How to restrict VPN access to LAN with SA540?

You are talking about the ASA 5540 right? This is a Cisco Firewall. You should be able to access the command line with either SSH or telnet. Here is how to set it up both via CLI and the GUI

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml

767
Views
0
Helpful
3
Replies