Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
401
Views
0
Helpful
3
Replies

Client ACL on VPN3005

Rutger Blom
Level 1
Level 1

‎11-04-2004 06:44 AM

Hello,

I've been trying to set up an ACL (filter) on our 3005 concentrator using this document:

http://www.cisco.com/en/US/tech/tk583/tk547/technologies_configuration_example09186a0080094eac.shtml

However,when I connect to the concentrator with this filter active on the group I'm not able to reach anything, not the server specified in the filter either.

We are using the Cisco pushed policy firewall feature aswell. Could this be the problem?

Kind regards,

Rutger

Labels:
0 Helpful
3 Replies 3

sachinraja
Level 9
Level 9

‎11-06-2004 12:00 AM

Hello Rutger,

It can be either a problem with the filter configuration for firewall feature or a VPN conc configuration issue. You can check the regular configuration of the VPN, by removing the filter and trying to access the server. If it works out fine, then there is a problem only with your firewall filter.

After connecting to VPN, just see if the required access is given on the firewall tab of the client. If not change the rules, as required by you (ie on the filter config menu). Are you doing split tunneling or have disabled it ? pl let us know.

All the best !!

0 Helpful

Rutger Blom
Level 1
Level 1
In response to sachinraja

‎11-06-2004 08:36 AM

Hello and thanks for your reply.

Yes we are using split tunneling. I tested with connecting without any firewall rules being pushed. Then it works better, but I was still not able to access servers on other VLANs than the VLAN where the private concentrator interface is being terminated. This must be some kind of a route/gateway problem. Do I need to define explicit access to the default tunnel gateway in my filter for routing to work?

There is another way ofcourse. Instead of creating filters on the VPN concentrator, I could set up access-lists on the VLAN where the private inteface is being terminated (the users are being dropped in this VLAN).

Which method do you recommend? Filters on the concentrator per group or access-lists on the router per IP-address/IP-address range?

Kind regards,

Rutger

0 Helpful

sachinraja
Level 9
Level 9
In response to Rutger Blom

‎11-10-2004 01:12 AM

depends.. we normally apply it on the VLAN to block any unnecessary access across vlans. VACL is specifically used for this. VPN client is more meant to block unnecessary broadcasts coming from others connected on that VPN concentrator.

yes.. u need to check the routing between vlans. are you able to ping these servers from the vpn conc ? is the ip pool from the same lan as the inside vpn conc subnet ? if you are able to ping form the vpn conc, you should be then able to ping from the client, if appropriate access is given through filters and split tunneling..

hope this helps !!

0 Helpful
Customers Also Viewed These Support Documents