Remote User Policy for Specific Host Access on VLAN


#1

I’m deploying a BPL-380 for a customer who wants to grant VPN access to a specific application server on the untagged VLAN.

How can I create a remote user policy that outlines VPN access to just one specific server on the untagged VLAN?

Thank you in advance for any assistance that you can provide!


#2

You may be able to accomplish this using internal firewall rules depending on your scenario. Change the default rule to “Deny” and place the following rule on top:

Protocol = Any

Source = internal untagged LAN network

Destination = single address for server IP

Action = Allow


#3

Thanks Ron. Will this internal policy affect other devices that may need to interact with each other on the same untagged VLAN?

We are building a VPN/remote access username/password for an external developer company that needs access to a single server on the untagged network. We certainly don’t want them to have access to the other servers, however other VPN users will need access to all internal servers on the untagged VLAN.

It would be nice if we could assign an access policy per VPN user.


#4

The internal firewall rule includes the entire untagged network for the source. This is because a MAC address is not seen with remote users therefore no DHCP reservation.

Internal firewall rules control sessions between LAN/VLAN/Static route networks/PepVPN networks/IPsec networks. If devices on the untagged LAN are connected to a switch without internal routing to other networks this should work.