Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
470
Views
0
Helpful
3
Replies

VPN Gateway with traffic filtering

Go to solution
aquasilk0001
Level 1
Level 1

ā€Ž08-15-2014 06:25 AM

I am working in the lab on a small scale setup in which client PC establishes a IPSEC VPN with a Cisco 1921 Router, i have two questions in this regard.

(1) For Wireless clients PC's, Is using an IPSEC VPN Client the best possible option or should i prefer other options. the wireless clients also use Radius server for authentication.

(2) i want to ensure that no other traffic can access or pass the LAN interface other than the Client VPN traffic, what do i need to configure on the Router to ensure that no other traffic can pass other than the VPB traffic.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

ā€Ž08-16-2014 12:13 AM

First: The actual IPsec VPN client is the AnyConnect. The VPN gateway-config for AnyConnect (especially for IPsec) on the IOS-router is much harder then it is on the ASA. If you still have the possibility to change the gateways, then go for an ASA.It's also much cheaper from a license perspective as there is no AnyConnect Essentials License for the router. The traditional Cisco VPN Client is EOL and you shouldn't start a new deployment based on that.

Your questions:

(1) All VPN-Users have to be authenticated somehow. Sending the authentication-request to a central directory is a best-practice and usually done with RADIUS. Additionally to the authentication you can also perform an authorization to control which rights a VPN-user gets.

(2) If you only want to allow IPsec-traffic, you need to configure an access-list, with permits for UDP/500, UDP/4500 and IP/50 to your router-IP. With that config, all other traffic will be dropped.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

ā€Ž08-16-2014 12:13 AM

First: The actual IPsec VPN client is the AnyConnect. The VPN gateway-config for AnyConnect (especially for IPsec) on the IOS-router is much harder then it is on the ASA. If you still have the possibility to change the gateways, then go for an ASA.It's also much cheaper from a license perspective as there is no AnyConnect Essentials License for the router. The traditional Cisco VPN Client is EOL and you shouldn't start a new deployment based on that.

Your questions:

(1) All VPN-Users have to be authenticated somehow. Sending the authentication-request to a central directory is a best-practice and usually done with RADIUS. Additionally to the authentication you can also perform an authorization to control which rights a VPN-user gets.

(2) If you only want to allow IPsec-traffic, you need to configure an access-list, with permits for UDP/500, UDP/4500 and IP/50 to your router-IP. With that config, all other traffic will be dropped.

0 Helpful

Go to solution
aquasilk0001
Level 1
Level 1
In response to Karsten Iwen

ā€Ž08-17-2014 02:46 AM

Thank you for your comprehensive response.

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

ā€Ž08-17-2014 03:22 AM

Some add-ons:

(1) Instead of a VPN, a strong WLAN-authentication with WPA2-Enterprise could also be deployed. From a security-perspective that is also very strong and probably easier to deploy.

(2) Before your clients can start an IPsec-VPN, they need to get an IP-address. If the DHCP-server is located behind or on the router, the ACL also needs to allow the DHCP-traffic.

0 Helpful
Customers Also Viewed These Support Documents