cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
757
Views
4
Helpful
4
Replies

Client VPN and access rules

lfkentwell
Level 1
Level 1

I have a pretty simple question.  I am practicing my VPN client on an ASA setup.  I've got a succesful tunnel running between a VPN client on a windows machine and even from an iPad.Now that I can establish a tunnel do i need rules to actually allow and restrict traffic?  Can someone advise on what i need to do if I wanted to allow ping and http traffic only inbound ?

Thanks.

4 Replies 4

rizwanr74
Level 7
Level 7

You can restrict within allowed ip-segment on vpn-client using filter, so follow the link below for applying guideline.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

You can allow or disallow vpn-client use their own internet connection to surf the web by using split tunnel, so follow the line below for applying guideline, if you choose to not to apply split-tunnel, then remote vpn-client users will not have access to web browsing while connected to network.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml

If you choose to allow remote-vpn client to browse the web via your corprate internet connection then you must nat the remote-client dhcp-pool to outside interface as shown below, assume remote vpn-client pool is "10.0.255.0 255.255.255.0"

nat (outside) 1 10.0.255.0 255.255.255.0

hope that answers your questions.

thanks

Rizwan Rafeek

Awesome that helps.  One last question.  Assumig I dont want to restric them incoming I want them to be able to access any host inside my network.  Do I need to create a rule or anykind to allow this incomign access or does the ASA just allow it?

Thanks,

"Assumig I dont want to restric them incoming I want them to be able to access any host inside my network.  Do I need to create a rule or anykind to allow this incomign access or does the ASA just allow it?"

Nat zero (otherwise known as no-nat) you apply on the inside interface paring with remote vpn-pool and internal network segment will be allow to access via remote-vpn client

access-list my-no-nat line 1 extended permit ip 192.168.1.0 255.255.255.0 10.0.255.0 255.255.255.0

nat (inside) 0 access-list my-no-nat

in the example shown above remote-vpn client coming on pool (i.e. 10.0.255.0 255.255.255.0) will be able to access resources inside the network segment 192.168.1.0 255.255.255.0.

if the remote vpn-client need to access more networks beside "192.168.1.0 255.255.255.0" then you need add those network on the ACL (my-no-nat) pair with  (i.e. 10.0.255.0 255.255.255.0)

Please rate helpful post, so that the thread will be useful for someone else.

thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: