Blocking an IPSec Subnet letting a few hosts through.

JeroenSoree

Hi,

I have an IPSec tunnel with another company. We have our subnets both set to /24. Now I want to block all of the other side, letting a few through, not the entire subnet.

I have a group with hosts I like to allow, but want to block the ones not in that group. (Mainly the rest that is)

How would I need to proceed?

Jeroen

Zyxel_Emily

Hi @JeroenSoree,

You can create the following two security policy rules.

The priority of Rule 1 must be higher than Rule 2.

Rule 1

From: IPSec-VPN

To: LAN

Source: the group with hosts from the remote VPN site you'd like to allow

Destination: the address of the local servers in ATP

Action: allow

Rule 2

From: IPSec-VPN

To: LAN

Source: any

Destination: any

Action: deny

In the following example, site to site VPN is established between ATP and another ZyWALL.

(192.168.1.0/24)ATP-----VPN------ZyWALL(192.168.10.0/24)

Only the IP addresses 192.168.10.33 and 192.168.10.34 from the remote site are able to access the local server in ATP.

Other IPs from the remote ZyWALL is not able to access the local server in ATP.

Zyxel_Emily

Hi @JeroenSoree,

You can create the following two security policy rules.

The priority of Rule 1 must be higher than Rule 2.

Rule 1

From: IPSec-VPN

To: LAN

Source: the group with hosts from the remote VPN site you'd like to allow

Destination: the address of the local servers in ATP

Action: allow

Rule 2

From: IPSec-VPN

To: LAN

Source: any

Destination: any

Action: deny

In the following example, site to site VPN is established between ATP and another ZyWALL.

(192.168.1.0/24)ATP-----VPN------ZyWALL(192.168.10.0/24)

Only the IP addresses 192.168.10.33 and 192.168.10.34 from the remote site are able to access the local server in ATP.

Other IPs from the remote ZyWALL is not able to access the local server in ATP.

JeroenSoree

Thanks a lot, works!