Re: Segment VPN users

Alex Pfeil · ‎11-07-2012

I have a requirement to segment all of the VPN traffic so that once a user logs in, they can not see (ping, scan, etc.) any other users on the VPN network. I was wondering if this is possible.

Thanks,

Alex

Karsten Iwen · ‎11-07-2012

That can be achieved both on the ASA and on IOS-routers. The easiest would be to use ACLs inside the tunnel that restrict the traffic that may be sent from the VPN-client.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Alex Pfeil · ‎11-08-2012

Can you provide an example of the configuration? I might have found a bug in the ASA code because the ACL that I am using is not working.

Thanks,

Alex

Karsten Iwen · ‎11-08-2012

Most likely it's not a bug but a misconfigured ACL (if you are talking about the vpn-filter).

In the VPN-filter the syntax is:

ACTION PROTOCOL REMOTE LOCAL

and not

ACTION PROTOCOL SOURCE DESTINATION

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Javier Portuguez · ‎11-08-2012

Alex,

What Karsten suggests is a VPN filter, this feature filters the inbound traffic coming over a VPN tunnel, so in your ACL, the source is the REMOTE network and destination the LOCAL network.

Please check this out:

PIX/ASA 7.x and Later: VPN Filter (Permit Specific Port or Protocol) Configuration Example for L2L and Remote Access

HTH.

Portu.

Please rate any helpful posts