Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sergo89
Collaborator
Jump to solution

VPN networks - block access in community

Hi There,

I need to block (or provide access to specific networks in community). For example, i have one VPN community with five sites and each site has 3 networks, i need to open access:

Site1-Network1 to Site2-Network1

Site1-Network2 to Site2-Network2

Site1-Network3 to Site3-Network3

but Site1-Network1  shouldnt get access Site2-Network2

do i have to create separate VPN rules like:

Source (Site1-Network1) to  Dest (Site2-Network1) - VPN Community

or one big rule for VPN

Source (Site 1-5) to  Dest (Site 1-5) - VPN Community 

and next create separate security rules for each condition? like

Source (Site1-Network1) to  Dest (Site2-Network1) - Any - Any

 

Just not clear for me, is it possible to play with access between networks in one VPN community or all networks inside will be accessible for each other

 

thanks

 

 

0 Kudos
1 Solution

Accepted Solutions
Vladimir
Champion
Champion

Simply defining VPN community establishing the necessary conditions for the encrypted traffic between sites, but it is still subject to the Access Control policy rules.

You can group the VPN rules under the same policy section with individual rules containing groups of networks, for compactness.

You may use a large parent rule for the Inline VPN policy, but then the parent rule should be permissive and the child rules should be restrictive. For me, this second option does not sound very appealing.

View solution in original post

7 Replies
the_rock
Legend
Legend

Technically, you could do both, as long as there is no rule conflict. Like all vendors, rules go as Im sure you know, top to bottom, left to right. Though, but this is just me, maybe for better "separation", I would create different rules.

0 Kudos
Vladimir
Champion
Champion

Simply defining VPN community establishing the necessary conditions for the encrypted traffic between sites, but it is still subject to the Access Control policy rules.

You can group the VPN rules under the same policy section with individual rules containing groups of networks, for compactness.

You may use a large parent rule for the Inline VPN policy, but then the parent rule should be permissive and the child rules should be restrictive. For me, this second option does not sound very appealing.

Sergo89
Collaborator

Thanks!

do you mean i can create "large parent rule" like all VPN sites - Any - Any - VPN community and next play with security rules - Net1 (site1) to Net(5) site3?

the_rock
Legend
Legend

Im pretty sure thats what @Vladimir meant.

Sergo89
Collaborator

Great! thank you very much guys!

the_rock
Legend
Legend

Just to share quickly what I usually recommend to people and that seems to work real well. So, for all the interfaces, we assign zones to them and then say you can create inline parent rule, that goes like this ->

src -> internal zone (referencing internal interface), dst -> any -> vpn -> any , services -> any -> action -> create new layer and call it say "internal layer"

Then, below that "parent" rule, you can set up all the child rules (as they call them) and at the bottom, you will have any any drop, which is EXPLICIT clean up rule...NOT to be confused with IMPLICIT clean up rule, always very last at the bottom of the rule base

Having said this, we always say to customers to create VPN rules towards to top of the rulebase, not part of any inline layer, so that way, it would not "conflict" with anything.

Hope it makes sense, but happy to show you in my lab as well.

 

0 Kudos
Vladimir
Champion
Champion

Yes, but I have stated earlier, the parent rule in this case will be permissive and the child rules restrictive.

You are better off having individual permissive rules grouped in the same policy section.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events