Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Dale_Lobb
Advisor

Prevent all other VPN traffic but allow outbound to the world

Jump to solution

I need to place a centrally managed SMB FW into a partners network, behind his firewall, to allow a small number of the partners systems to be placed behind the SMB device and thus be allowed to communicate to my corporate network via VPN.  The partner's systems that will be behind the SMB FW will still need access to the rest of the partner's network and to the world through the partner's corporate network.

So, I'm wondering if something like this will work for the policy.  Note that these pseudo rules are for src, dst, vpn community, service, action

1. Precursor rules to allow the SMB to call home and other things.

2. VPN rules to allow very limited communication between specific systems.  These rules will all have a vpn community in the rule

3. A cleanup rule for the VPN which looks like: any, any, vpn community, any, drop

4. An outbound rule for other traffic: InternalZone, ExternalZone, any, any, accept

5. A full clean up rule: any, any, any, any, drop

 

My question is about rule 3:  It's intended to stop any other traffic from entering the VPN tunnel.  Will it work?

 

If it would work, could I then write the VPN rules with an inline layer, something like:

  a. any, any, vpn community, any, inline layer

    i.  inline layer vpn rule 1

    ii.  inline layer vpn rule 2

    iii.  in line layer clean up rule: any any any any drop

 b. other rules for non vpn traffic

 

Thanks and Best Regards,

Dale

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

I believe what you propose should work, complete with inline layers.

View solution in original post

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

I believe what you propose should work, complete with inline layers.

0 Kudos
Dale_Lobb
Advisor

Thanks, Damian!

0 Kudos