control what AnyConnect VPN clients can Access

Unanswered Question
Oct 6th, 2008
User Badges:


How do I ensure that my VPN users that are connected using AnyConnect VPN to my ASA5520 have the same access restrictions/permissions as those connected locally?

Assign a pool in the same vlan/subnet as those connected locally?

Any input helps. Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
j.delossantos Mon, 10/06/2008 - 13:19
User Badges:

Thanks Jorge,

I'll check out that doc.

So, just to clarify, if I had users on VLAN 10 on my Main site, the only way to allow my VPN users the same access permissions as those users in VLAN 10 is through VPN filters.

I can't just put my VPN users on VLAN 10 and that would auto-magically give them access to the same networks/resources as the Main site local LAN users.



JORGE RODRIGUEZ Mon, 10/06/2008 - 16:49
User Badges:
  • Green, 3000 points or more

Your annyconnect RA clients should have unique separate network from any other internal subnets and you will find much easier management and administration as soon as you start creating different RA tunnels for different purposes in future, at least this is my practice and find easy to administer and/or troubleshoot. If you decide using VPN tunnel network the same as an inside subnet you may encounter problems down the road which will be hard to troubleshoot.

Now you have VLAN10 subnet internally, if I understand correctly you want RA clients have the same access VLAN10 users have,my question to you is what type of access are you refering to? does VLAN10 users have access to certain internal networks or specific hosts and some don't? if this is so when you use vpn filters build the same access control you have defined for VLAN10 users, you don't necessarily have to create per user vpn filers but rather a group policy defining the permit access through the acl and apply it to the Annyconnect RA tunnel if the intend is for the whole tunnel group, just as shown in the RA vpn filter example link posted excluding the per user vpn filer.



j.delossantos Tue, 10/07/2008 - 09:15
User Badges:

I see.

So, use the same ACL statements but change the source address to the pool of address used by the VPN users.

It was mentioned on the DOC that the filter is applied both direction. How does that affect return traffic?

Thanks for the help and advice.

I'll test these.


This Discussion