Re: Stateful Access from LAN to all IPSEC VPN Clients ASA5520

rvopel · ‎11-20-2009

ASA5520 Cisco IPSEC VPN Client using DAP

Hello

I want to have access to all connected VPN Clients from the inside LAN. The access should only be available if it is initiated from the inside LAN.

Example Application: mstsc

The VPN Client should only be able to access restricted hosts on the inside LAN. This is done by ACL within the DAP.

At the moment I have to open all destination hosts/ports in the DAP ACL of the VPN Client which I want to make reachable from the inside LAN.

I think there must be a way to define:

All VPN Clients can be reached from the inside LAN.

All VPN Clients can only reach definied hosts at the inside LAN.

Does anyone have an idea how I can configure this?

Thanks

andrew.prince · ‎11-20-2009

There are a couple of ways I can think of to achive this:-

For VPN client access to inside hosts-

1) Write an ACL that is applied on the inside interface outbound restricting access

2) Write an ACL and apply it to the VPN Client Firewall

For Inside access to VPN Client-

1) Wirte an ACL that is applied on the inside interface inbound restricting access

HTH>

rvopel · ‎11-24-2009

We extended the ACL inside_access_in and it works perfect.

Thanks

andrew.prince · ‎11-24-2009

Good to hear

Glad tp help.