Hi all,
I have a bit of a gotcha I am stuck on,
I need to create a new VPN user for someone, I have created a local user account on the firewall, these users only are to have access to 5 hosts on the network and thats it, and need to be LOCKED down to specific ports.
The way I was looking at doing this was by creating a VPN group policy.
Now, only the firewall, if I create a new group policy, then go in to this group policy to the split tunneling section, you have the option of creating a standard ACL, or an extended ACL.
If I create a standard ACL, it will let me set so that when they VPN, they are only able to get to these hosts and nothing else (I tested this via ping), however, this leaves a problem, as standard ACL's will not let you lock it down to ports.
To lock it down to ports, you need to use an extended ACL, however, if I use an extended ACL instead, it will not work.
IE if I create a standard ACL and say
"From source: VPN source range:
"To: IP address of 4 hosts they need to get to"
"Ports: I tried IP (all) as a test"
If I VPN, I can not ping any of the hosts, meaning I cant reach them
If I tell the group policy to use the standard ACL instead, and re-connect, it works, however I am not locking down the ports again.
Can anyone possibly give me some guidance? I have trawled through google with no luck
I have a bit of a gotcha I am stuck on,
I need to create a new VPN user for someone, I have created a local user account on the firewall, these users only are to have access to 5 hosts on the network and thats it, and need to be LOCKED down to specific ports.
The way I was looking at doing this was by creating a VPN group policy.
Now, only the firewall, if I create a new group policy, then go in to this group policy to the split tunneling section, you have the option of creating a standard ACL, or an extended ACL.
If I create a standard ACL, it will let me set so that when they VPN, they are only able to get to these hosts and nothing else (I tested this via ping), however, this leaves a problem, as standard ACL's will not let you lock it down to ports.
To lock it down to ports, you need to use an extended ACL, however, if I use an extended ACL instead, it will not work.
IE if I create a standard ACL and say
"From source: VPN source range:
"To: IP address of 4 hosts they need to get to"
"Ports: I tried IP (all) as a test"
If I VPN, I can not ping any of the hosts, meaning I cant reach them
If I tell the group policy to use the standard ACL instead, and re-connect, it works, however I am not locking down the ports again.
Can anyone possibly give me some guidance? I have trawled through google with no luck