Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
470
Views
0
Helpful
3
Replies

filter for vpn group based on nic ip address

ouellette-a
Level 1
Level 1

‎05-12-2003 02:31 PM - edited ‎02-21-2020 12:32 PM

Using a vpn3000 and client (no client firewall), is there a way to filter on the source address (nic address - not assigned address). This would allow a client to connect from a "campus" address but not from an ISP address; other vpn groups would be allowed to connect from the same ISP address space however...?

Can this be done with a client firewall filter ?

Labels:
0 Helpful
3 Replies 3

kmarrero
Level 4
Level 4

‎05-15-2003 12:27 PM

If you know the actual IP addresses or range of IP addresses that you want to allow you could just set up access-lists that would permit only those addresses into the network. The access-list would deny everything else. Here is a URL that will help you with the access-list. The only way that you could filter based upon the Nic address (MAC address) would be to use a MAC address access-list but I believe you have to be bridging for that to work. http://www.cisco.com/warp/public/105/ACLsamples.html

0 Helpful

ouellette-a
Level 1
Level 1
In response to kmarrero

‎05-30-2003 08:47 AM

I don't think acl's will solve the problem:(by nic I meant ethernet card and its ip address not the mac address)

So, is it possible to allow a vpn group to set up a tunnel from an ISP address range, but filter another vpn group (so they can not set up a tunnel) from the same ISP.

In other words can the src ip address of the ethernet (not the assigned "dialup") be used to allow a vpn group access when coming in from a "campus" ip address but filter that same vpngroup if they are trying to come in from home (their ISP).

ie:

allow vpngroup1 if coming in from xxx.xxxx.xxxx.xxx

allow vpngroup2 if coming in from zzz.zzz.zzz.zzz

filter vpngroup 1 if coming in from yyy.yyy.yyy.yyy

allow vpngroup2 if coming in from yyy.yyy.yyy.yyy

Is there filtering that looks at the source ip address available in a client firewall, either to not allow them to set up the tunnel or if a tunnel is set up to filter out the traffic (connect but not be able to go anywhere).

This is a "feature" a customer wants to be able to implement...

Thanks,

Allen

0 Helpful

ouellette-a
Level 1
Level 1
In response to ouellette-a

‎05-30-2003 09:06 AM

Just a clairification:

when I say src ip address I mean the ethernet ip address or the assigned or nat address through the isp.

by assigned dialup I mean the address assigned from the pool at the vpn concentrator.

Thanks again,

0 Helpful
Customers Also Viewed These Support Documents