Using Directional VPN for Remote Access
Directional VPN in RA Communities
With Directional VPN configured for Remote Access communities, the option exists to reject connections to or from a particular network object.
Source
|
Destination
|
VPN
|
Service
|
Action
|
Any
|
Any
|
Remote_Access_Community => MyIntranet
|
Any
|
drop
|
Any
|
Any
|
Remote_Access_Community => Any Traffic
|
Any
|
accept
|
Connections are not allowed between remote users and hosts within the "MyIntranet" VPN community. Every other connection originating in the Remote Access Community, whether inside or outside of the VPN communities, is allowed.
User Groups as the Destination in RA communities
User groups can be placed in the destination column of a rule. This makes:
- Configuring client to client connections easier
- Configuring "back connections" between a remote client and a Security Gateway possible.
Source
|
Destination
|
VPN
|
Service
|
Action
|
Any
|
Remote_Users@Any
|
Any Traffic => Remote_Access_Community
|
Any
|
accept
|
To include user groups in the destination column of a rule:
- The rule must be directional
- In the VPN column, the Remote Access community must be configured as the endpoint destination
Configuring Directional VPN with Remote Access Communities
To configure Directional VPN with Remote Access communities:
- In Global Properties > VPN page > Advanced > Select Enable VPN Directional Match in VPN Column.
- Right-click inside the VPN column of the appropriate rule, and select Edit... or Add Direction from the pop-up menu.
The VPN Match Conditions window opens.
- Click Add.
The Directional VPN Match Conditions window opens.
- From the drop-down box on the right, select the source of the connection.
- From the drop-down box on the left, select the connection's destination.
- Click OK.
|
