It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda SSL VPN

How can I configure my Barracuda SSL VPN to only allow access from certain IP addresses?

  • Type: Knowledgebase
  • Date changed: 2 years ago

Solution #00004874



Applies to all Barracuda SSL VPNs.



Using NAC, the Barracuda SSL VPN can be configured to block any users that are attempting to log in from an unauthorized IP address. For example, a Barracuda SSL VPN is only to allow access to users logging in from two specific subnets, and, and from 2 specific IP addresses, and The best method to configure this will be to block access to all IP addresses and create NAC Exceptions for the subnets and individual IPs. To do this, follow these instructions:

  1. Login to the SSL VPN with ssladmin and select the database this configuration will be setup on. NAC is realm aware so you must be editing the user database this will be for.
  2. Go to ACCESS CONTROL > NAC and make sure Enable NAC Rules is set to Yes. Then set the Login from any IP Address option to Block and save the changes.
  3. Access to the SSL VPN on this user database is being blocked for all IP Addresses and will need exceptions to allow any kind of access. Go to ACCESS CONTROLS > NAC Exceptions and create a new exception:
    1. Set a name for the exception
    2. Select the Lookup button. This loads the Applies To page which allows specification of the Users/Groups/Policies the exception will apply to. Select Add when finished adding principles.
    3. In the Type list select IP Address.
    4. In the Sub Type/Expression field the allowed IPs must be entered. This field accepts individual IP addresses, addresses using wildcards, and CIDR Addresses. Only one entry can be made per exception so begin by adding the first subnet, 1.2.3.* (or
    5. Set the Access option to Allow & Continue or Allow.
    6. Select the Add button to save the exception.

As each IP address exception can only hold one value, a total of four exceptions will need to be made. One for each subnet and individual IP address previously listed.


Link to this page: