03-10-2010 06:34 AM
Hello All-
I'm new to the forum so please forgive me if I broke any etiquette. I have two remote sites. They each have a RV042 VPN router. The subnet for one site is 190.200.10.X and the other site is 190.200.85.x. I only want IP address range 190.200.85.224-228 to be able to access IP address 190.200.10.5-9. I've tried created access rules but they do not work. I have servers in each building and I only want the servers to talk to each other through the VPN tunnel and nothing else. Do the access rules apply only to traffic from the WAN and therefore not apply to a "trusted VPN connection"? If so, is there anyway to accomplish what I want to do?
Thank you!
Ken
03-26-2010 04:00 AM
Ken,
It sounds as though you need ACLs that will filter LAN to LAN traffic. The main thing you want to keep in mind when writing these, is make sure you deny traffic coming from a specific source (being the other lan) to the destination. The WAN ip addressing is not involved when doing vpn connections and ACLs.
Bill
03-28-2010 09:44 PM
Sorry for butting in....
Have you tried to create the VPN tunnel using the "local" and "remote" security groups as RANGE rather than SUBNET? really that should do exactly what you are describing.
When that is configured, the IPSec tunnel does two things,
1. Only allows traffic from IPs defined in the tunnel (both WAN and LAN source and destination) -- this is the ACL
2. Creates a route statement for all allowed devices through the tunnel.
Try this first and let us know, if you already did this please post a log.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide