Access control for Client VPN on Cisco 5520

Answered Question
Mar 13th, 2007
User Badges:

I am using the ASDM to setup client vpn's for users. At one point in the wizard you specify traffic thats exempt from NAT that your users can access. But there was no other controls on what protocols/ports they can access. My question is, where would I put the access rules? Would I put them on the inside interface incoming(on the security policy tab) or is there some place in the VPN tab(such as the group policy section) that I would allow/restrict specific ports/protocols? I would just use trial and error but there are active P2P VPN's on this box and last time I added a access rule for the inside interface incoming, it ended up breaking all the P2P VPN access. Any suggestions?


Thanks,

Jeff

Correct Answer by acomiskey about 10 years 2 months ago

I'm sure you know this but that will affect all traffic, not only vpn, so be sure to write your acl correctly, allow what you want from vpn client subnet, deny everything else from vpn client subnet, then allow everything else. You also have to do "no sysopt connection permit-ipsec/vpn" or the traffic will bypass the acl. good luck


oh and dont forget about your other vpn tunnels.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
acomiskey Tue, 03/13/2007 - 08:54
User Badges:
  • Green, 3000 points or more

You can create a vpn-filter which is applied to a group policy with sysopt connection permit-ipsec. There is little documentation on it and it is very buggy, but is an option.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml


Or remove sysopt connection permit-ipsec and use your interface acls to restrict the traffic. For example add acl out interface inside.

westcare Tue, 03/13/2007 - 12:09
User Badges:

Sounds good...i'll give the outgoing interface inside access lists a try and let you know.


Thanks,

Jeff

Correct Answer
acomiskey Tue, 03/13/2007 - 12:15
User Badges:
  • Green, 3000 points or more

I'm sure you know this but that will affect all traffic, not only vpn, so be sure to write your acl correctly, allow what you want from vpn client subnet, deny everything else from vpn client subnet, then allow everything else. You also have to do "no sysopt connection permit-ipsec/vpn" or the traffic will bypass the acl. good luck


oh and dont forget about your other vpn tunnels.

westcare Tue, 03/13/2007 - 12:28
User Badges:

ahhh I see...so when I do the "no sysopt connection permit-ipsec/vpn" command that will mean that ALL vpn traffic will not bypass the acl's and i'll need to create acl's for ALL existing vpn's or they will all break. Good point...i'm still getting used to the Cisco way of things(coming from ISA, bleh) so thanks for the heads up. I'll give the group policy access lists first as they seem to be specific to each tunnel group. Hopefully they work...if not, time to make alot of acl's :D


Thanks,

Jeff

acomiskey Tue, 03/13/2007 - 12:37
User Badges:
  • Green, 3000 points or more

If you did "no sysopt conn ..." you would also need to specifically allow isakmp, esp etc. in your outside acl.


If you only want to filter one specific vpn your acl's wouldn't be that long, mostly a bunch of permit ip any any from your existing vpn's you don't want to filter. But the vpn-filter is much slicker. You may have luck with it.

Actions

This Discussion