To explain this solution, let's say the IP settings are as follows:
Internal (Corporate) server IP | 10.10.1.50 |
VPN Tunnel client IP | 10.11.1.151 |
With the above settings, the Network Connect can be configured as below:
- If the VPN Tunneling ACL is set to "tcp://10.10.1.50:*", then server can initiate a session from 10.10.1.50 to the VPN client (Pulse or Network Connect) 10.11.1.151.
However, this also means that the client can initiate a session to the server. i.e. session from 10.11.1.151 to 10.10.1.50.
If it is undesirable, the restriction needs to be configured in the firewall as the VPN Tunneling ACL cannot be used to block one way communication.
If there is a firewall that controls the traffic to prevent the outbound (VPN Tunnel > Internal LAN) connection, we can create a VPN Tunneling ACL that allows for 10.10.1.50:* on the IVE and on the firewall, configure a policy that denies VPN Tunnel > Internal LAN but allow Internal LAN > VPN Tunnel.
This will allow any inbound connection from that server to the Network Connect or Pulse client. Also, we need to have the '*' for the port. This is to allow the ephemeral ports used as destination port on the receiving connection (in this scenario, the VPN Tunnel client system).