11-07-2012 12:26 PM
I have a requirement to segment all of the VPN traffic so that once a user logs in, they can not see (ping, scan, etc.) any other users on the VPN network. I was wondering if this is possible.
Thanks,
Alex
11-07-2012 01:20 PM
That can be achieved both on the ASA and on IOS-routers. The easiest would be to use ACLs inside the tunnel that restrict the traffic that may be sent from the VPN-client.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-08-2012 07:28 AM
Can you provide an example of the configuration? I might have found a bug in the ASA code because the ACL that I am using is not working.
Thanks,
Alex
11-08-2012 07:38 AM
Most likely it's not a bug but a misconfigured ACL (if you are talking about the vpn-filter).
In the VPN-filter the syntax is:
ACTION PROTOCOL REMOTE LOCAL
and not
ACTION PROTOCOL SOURCE DESTINATION
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-08-2012 08:24 AM
Alex,
What Karsten suggests is a VPN filter, this feature filters the inbound traffic coming over a VPN tunnel, so in your ACL, the source is the REMOTE network and destination the LOCAL network.
Please check this out:
HTH.
Portu.
Please rate any helpful posts
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide