07-22-2010 09:57 AM - edited 03-21-2019 02:48 AM
Hey guys,
I have a remote teleworker that is connecting to our UC520 back at the office. The remote teleworker setup includes an SR520W at the remote site with an SPA525G phone sitting behind it. The remote teleworker is accessing our server and some other applications on our corporate LAN while connected. Is there any way to set up a second VLAN (or use the wireless VLAN solely) for non-VPN traffic? I am already using split tunneling, but the remote teleworker will often have vendors and other parties coming into his office with a need for Internet Access and I'd like to separate traffic for obvious security reasons.
Thanks in advance,
Seth
09-01-2010 08:14 AM
I am returning to this issue as I need to get it resolved for our remote teleworker. Is it possible to set up this second VLAN and completely separate traffic from the VPN connection?
09-02-2010 06:19 AM
Not sure if it's possible with CCA but you should be able to do it with CLI.. create a new vlan, assign it to a port(s) and setup ACL.
09-02-2010 08:02 AM
Thanks.
I'm going to play around with that later today to see what happens. I'm still a little bit concerned that the although we could put 1 port on VLAN 1 and another port on VLAN 50 (i.e. guest) that their traffic would still hit our server if they knew what to look for. That might be a stretch, but it's a security concern at the very least. Is there any way to ensure that the only traffic from VLAN 1 travels over the VPN but all traffic from VLAN 50 cannot?
Thanks,
Seth
09-02-2010 10:29 AM
As long as you have proper ACL (access-lists) setup, you can restrict the guest vlan (50?) traffic from
reaching your internal vlan.
09-02-2010 10:43 AM
Thanks again.
Not being much of a CLI guy, can you take a look and see if I'm getting it correct below?
Current Access list:
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.85.0 0.0.0.255
access-list 1 permit 192.168.75.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip *public IP* 0.0.0.3 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host *remote VPN IP* any
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip any any
access-list 103 remark SDM_ACL Category=4
access-list 103 permit ip 192.168.75.0 0.0.0.255 any
192.168.85.x is my new guest vlan - vlan 50
192.168.75.x is the internal vlan - vlan 75
The VPN is a split tunnel configuration where 3 additional subnets are being allowed for voice and data. Let's say that these are:
data - 192.168.10.x
voice - 10.1.1.x
voice - 10.1.10.x
In order to ensure that VLAN 50 on the SR520 cannot interact with these, would I need to include the following commands:
access-list 104 deny 192.168.85.0 192.168.10.0
access-list 104 deny 192.168.85.0 10.1.1.0
access-list 104 deny 192.168.85.0 10.1.10.0
I get a little confused about exactly how the access lists should be numbered and if these are formatted correctly.
Thanks in advance,
Seth
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide