Solved: Re: A global Access-List for VPN3005 possible?

wagnerch · ‎09-18-2003

Hi,

I would like to control what the VPN-users and LAN-to-LAN-profiles are allowed to to.

eg. to block the RPC-port (tcp135) for all traffic coming from any profile

Is this possible?

Regards,

Chris

gfullage · ‎09-18-2003

You cna create this filter in one place, and then just apply it to each user group and to each L2L tunnel config.

Go under Config - Policy Mgmt - TRaffic Mgmt - Rules, add a rule that is Inbound, Drop, Protocol = TCP, Source and Dest of Any (leave them as is), TCP DEst Port range of 135 to 135.

Go under config - Policy Mgmt - Traffic Mgmt - Filters, add a filter whose default action is to forward, then add the rule you just created to that filter.

Now you can apply that to all the users by going under the Group and under the General tab and adding th efilter in there. You can also go under the L2L tunnel config and add the filter to the tunnel directly.

Note you'll want to test this first, I haven't done any testing and may have the source/dest or inbound/outbound around the wrong way or something like that.

View solution in original post

gfullage · ‎09-18-2003

You cna create this filter in one place, and then just apply it to each user group and to each L2L tunnel config.

Go under Config - Policy Mgmt - TRaffic Mgmt - Rules, add a rule that is Inbound, Drop, Protocol = TCP, Source and Dest of Any (leave them as is), TCP DEst Port range of 135 to 135.

Go under config - Policy Mgmt - Traffic Mgmt - Filters, add a filter whose default action is to forward, then add the rule you just created to that filter.

Now you can apply that to all the users by going under the Group and under the General tab and adding th efilter in there. You can also go under the L2L tunnel config and add the filter to the tunnel directly.

Note you'll want to test this first, I haven't done any testing and may have the source/dest or inbound/outbound around the wrong way or something like that.