05-12-2003 02:31 PM - edited 02-21-2020 12:32 PM
Using a vpn3000 and client (no client firewall), is there a way to filter on the source address (nic address - not assigned address). This would allow a client to connect from a "campus" address but not from an ISP address; other vpn groups would be allowed to connect from the same ISP address space however...?
Can this be done with a client firewall filter ?
05-15-2003 12:27 PM
If you know the actual IP addresses or range of IP addresses that you want to allow you could just set up access-lists that would permit only those addresses into the network. The access-list would deny everything else. Here is a URL that will help you with the access-list. The only way that you could filter based upon the Nic address (MAC address) would be to use a MAC address access-list but I believe you have to be bridging for that to work. http://www.cisco.com/warp/public/105/ACLsamples.html
05-30-2003 08:47 AM
I don't think acl's will solve the problem:(by nic I meant ethernet card and its ip address not the mac address)
So, is it possible to allow a vpn group to set up a tunnel from an ISP address range, but filter another vpn group (so they can not set up a tunnel) from the same ISP.
In other words can the src ip address of the ethernet (not the assigned "dialup") be used to allow a vpn group access when coming in from a "campus" ip address but filter that same vpngroup if they are trying to come in from home (their ISP).
ie:
allow vpngroup1 if coming in from xxx.xxxx.xxxx.xxx
allow vpngroup2 if coming in from zzz.zzz.zzz.zzz
filter vpngroup 1 if coming in from yyy.yyy.yyy.yyy
allow vpngroup2 if coming in from yyy.yyy.yyy.yyy
Is there filtering that looks at the source ip address available in a client firewall, either to not allow them to set up the tunnel or if a tunnel is set up to filter out the traffic (connect but not be able to go anywhere).
This is a "feature" a customer wants to be able to implement...
Thanks,
Allen
05-30-2003 09:06 AM
Just a clairification:
when I say src ip address I mean the ethernet ip address or the assigned or nat address through the isp.
by assigned dialup I mean the address assigned from the pool at the vpn concentrator.
Thanks again,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide