Apply Firewall Rules to IPSec VPN profiles


#1

Hello,

What is the best way to limit access to specific hosts on an IPSec VPN profile?

For example, say that I have an IPSec VPN between a Peplink and a non-Peplink firewall (Cisco ASA for example, since I have quite a few of these). Details would be:

Source LAN : 10.0.1.0/24 (Hardware is PEPLINK)
Dest LAN: 10.0.2.0/24 (Hardware is non-PEPLINK)
VPN Setup: Setup to allow all source 10.0.1.0/24 access to all destination 10.0.2.0/24 (typical VPN setup)

Could I then add firewall rules on the Peplink device such that source 10.0.2.0/24 can only access ip host 10.0.1.100/32, even though the entire LAN subnet is configured in the VPN profile ?

Let me know if this would be the best way to configure this kind of limitation? Or would I be better off setting the SOURCE ip in the VPN profile (on the Peplink Device) as 10.0.1.100/32?

Finally, does this go in INTERNAL NETWORK FIREWALL rule or INBOUND FIREWALL rule?

Thanks!
-Joe Keegan


#2

Hi Joe,

Yes, you can create such access control rule to control the traffic from 10.0.2.0/24 network.

The access rule needs to be created at INTERNAL NETWORK FIREWALL.

Thanks.

Regards,
Yaw Theng