Restricting traffic from VPN clients

mlaplaunte · ‎05-03-2004

I'd like to restrict the traffic that can come in from VPN clients (specifically those associated with the most current round of worms and whatnot).

I've tried fiddling with access lists but just don't seem to be getting it. Any help would be appretiated.

Thanks.

zeller · ‎05-03-2004

We're seeing the same problem. Our conclusion is that nothing on the VPN server can save it as it has to decrypt the pkt to see what it is and by then the damage (cpu usage) is done. We plan to use some advanced features on our new 6507 switches to rate-limit traffic to the vpn server on a per-ip source basis.

Tom Zeller

Indiana University

zeller@Indiana.edu

hoodbe · ‎07-12-2004

We're looking at the same issue - only the idea is more to limit what access each vpn client will have - that is, I want to restrict what internal resources the users have access to and would like to be able to use downloadable ACL's from an ACS server or similar feature which would allow configuration of ACL or ACL-type mechanism on an ACS server as opposed to configuration on the IOS VPN router. Any ideas?

zeller · ‎07-12-2004

You can do it by setting up a rule and then create a filter using that rule. then apply the filter to an interface or group.

Also, we have a problem with infected machines chewing up the server processing "bandwidth" and plan to rate-limit traffic going to the server on a per-address basis at the router.

Tom Zeller

Indiana University

zeller@indiana.edu