Solved: Access control for Client VPN on Cisco 5520

westcare · ‎03-13-2007

I am using the ASDM to setup client vpn's for users. At one point in the wizard you specify traffic thats exempt from NAT that your users can access. But there was no other controls on what protocols/ports they can access. My question is, where would I put the access rules? Would I put them on the inside interface incoming(on the security policy tab) or is there some place in the VPN tab(such as the group policy section) that I would allow/restrict specific ports/protocols? I would just use trial and error but there are active P2P VPN's on this box and last time I added a access rule for the inside interface incoming, it ended up breaking all the P2P VPN access. Any suggestions?

Thanks,

Jeff

acomiskey · ‎03-13-2007

I'm sure you know this but that will affect all traffic, not only vpn, so be sure to write your acl correctly, allow what you want from vpn client subnet, deny everything else from vpn client subnet, then allow everything else. You also have to do "no sysopt connection permit-ipsec/vpn" or the traffic will bypass the acl. good luck

oh and dont forget about your other vpn tunnels.

View solution in original post

acomiskey · ‎03-13-2007

You can create a vpn-filter which is applied to a group policy with sysopt connection permit-ipsec. There is little documentation on it and it is very buggy, but is an option.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Or remove sysopt connection permit-ipsec and use your interface acls to restrict the traffic. For example add acl out interface inside.

westcare · ‎03-13-2007

Sounds good...i'll give the outgoing interface inside access lists a try and let you know.

Thanks,

Jeff

acomiskey · ‎03-13-2007

I'm sure you know this but that will affect all traffic, not only vpn, so be sure to write your acl correctly, allow what you want from vpn client subnet, deny everything else from vpn client subnet, then allow everything else. You also have to do "no sysopt connection permit-ipsec/vpn" or the traffic will bypass the acl. good luck

oh and dont forget about your other vpn tunnels.

westcare · ‎03-13-2007

ahhh I see...so when I do the "no sysopt connection permit-ipsec/vpn" command that will mean that ALL vpn traffic will not bypass the acl's and i'll need to create acl's for ALL existing vpn's or they will all break. Good point...i'm still getting used to the Cisco way of things(coming from ISA, bleh) so thanks for the heads up. I'll give the group policy access lists first as they seem to be specific to each tunnel group. Hopefully they work...if not, time to make alot of acl's :D

Thanks,

Jeff

acomiskey · ‎03-13-2007

If you did "no sysopt conn ..." you would also need to specifically allow isakmp, esp etc. in your outside acl.

If you only want to filter one specific vpn your acl's wouldn't be that long, mostly a bunch of permit ip any any from your existing vpn's you don't want to filter. But the vpn-filter is much slicker. You may have luck with it.