Limit SSL VPN user access to VLAN

KennethKarlsson · ‎12-11-2023

I am probably misunderstading something here, but here it goes.

Is it possible to deny a SSL VPN user access to a certain VLAN.

Scenario:

I have 3 VLAN's in my network, LAN, MGMT and DMZ

The normal users i want to only be able to access the LAN VLAN when connecting

So i make a test user called TestUser and assign him to the "SSLOnly_LAN" group

Made a SSL-VPN portal - tunnel mode policy destination

Added a Portal Mapping for that specific group

And finally made a policy for the users that allow then access to Vlan134, but denys access to Mgmt(lan)

But still the user are able to access Vlans they are not supposed to ?

What am i missing here ? or what have i misunderstood. ?

Thanks in advance.

Kenneth Karlsson

Denmark

Debbie_FTNT · ‎12-12-2023

Hey Kenneth,

in your DENY policy, you have source-address 'None', correct?

That means NO traffic can ever match this policy (because no traffic will have source 'None') so the policy would never apply.

You would need to set the proper source address for the users (as if allowing them access), and then instead of setting action 'allow' in policy, set action 'deny'.
The group is also a required source parameter, meaning any traffic that matches the source address, but does NOT come from this group, will not match. Only traffic coming from the source address AND belonging to the group will match into the policy, and thus get denied.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++