EZVpn on the ASA 5505 - Best configuration to provide & block VPN access

I'm setting up a pair of 5505s (both with Base licenses and running 8.4(3))--one in the office, one at my boss' home.  In part, the office unit will function as an EZVpn server.  It's configured against a static IP.  Rather than bother with a static IP or DDNS for the home unit, I'm going to configure it as an EZVpn client.  

As the 5505 will sit in front of a home network there will be several family devices connected that will simply need Internet access.  The other two computers are the only ones that should have VPN access.  What's the best way to configure this set up to ensure only those two systems can ever see the VPN?  Thanks.
mrpierce2Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

eeRootCommented:
Can you split the traffic the different VLAN's?  Or put the office VPN connection on a DMZ connection and leave the family connections on the inside interface?
0
mrpierce2Author Commented:
eeRoot:

Hello.

Since I haven't yet had the occasion to set up a DMZ (I have an SBS network in the office where everything is on the same subnet and I filter specific ports), I had a mental block about the ASA restricted license and how it works in relation to a DMZ.  I now understand that the restriction just means any one of the three interfaces can only go one direction.  

I get that I can separate each group of computers (home, work) on a separate interface each assigned to its own VLAN.  Since they'd both access the net, the restriction ("no forward interface") would be placed on the VLAN with the home computers.  With only these changes specifed to the config, both of those VLANs can still access the VPN though, right?  So, in order to ensure the computers on that 'home' VLAN never have VPN access (to the office net), is it as simple as adding a command to deny an outbound connection from the associated interface/VLAN to the public IP address of my server (i.e. the VPN)?

You noted splitting the traffic of the different VLANs.  Can you provide a little more info and/or an example?

One other thought regarding a more 'subdivided' configuration... My boss is doing video postproduction from his home.  It's not in the plan right now, but since we're now moving from his using a software client to having a 5505 at his home, I thought I should make an allowance for a DMZ to support a mini-server that could be set to receive large video files from the office/clients/freelancers, some of which might be uploaded at off hours.  This could eliminate some of the hard drive shuttling we currently do between office and home.  In this scenario, the DMZ would be restricted and used solely for the mini-server.  Both office and home computers would then be together on the inside interface.  How would I then limit VPN access to only the two office computers?  Is this something that's accomplished through MAC address filtering by the ASA?  Can I have multpile VLANs on the same interface and then restrict the appropriate VLAN?
0
eeRootCommented:
If the home PC's are on the inside interface, and a rule is set to block their access to the VPN IP range, they will be isolated.  You could then put the boss's PC in a DMZ that can access the VPN connection.  And if you may need to add a server, sometime in the future, add it to the same DMZ as the boss's PC.

If the boss's PC and home PC's must be on the same network, then you could use DHCP address reservations to control what IP addresses the PC's get.  And then create a firewall rule that allows the boss's PC's IP address access to the DMZ and VPN tunnel.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mrpierce2Author Commented:
eeRoot:

Great solutions.  Thanks.  At present I'm finishing up with the office unit and it will be a few days before I start configuring the home ASA.  I'm going to leave this question open a bit longer while I config that unit.
0
mrpierce2Author Commented:
eeRoot:

Thanks again for your help.  Sorry to take so long to finish this up.  I had a situation with connection drops on the office ASA 5505 that was truly one of the most frustrating experiences of my IT life.  It pretty much absorbed all my attention, but I'm smiling with relief now that it's over.

I decided to implement your first suggestion and put the work and home systems on separate interfaces, so it was easy to link only the work interface to the vpn.  I don't use DHCP on the office ASA--our SBS server provides it and I'm used to thinking of DHCP in terms of a handful of reservations and a single scope.  With the remote ASA I realized I could have its DHCP server assign separate subnets to the inside interface and the dmz.  I also decided to name them to be more obvious as HOME and WORK.  Still need to work out a couple of networking/DNS issues so all key systems can be seen/accessed, but I'm 90% there.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.