RA VPN security policy

Unanswered Question
Nov 11th, 2008
User Badges:

How do you check which resources\networks is a specific Remote Access VPN account is allowed to access on the network?


I am looking for the ASDM solution as well as CLI.


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Tue, 11/11/2008 - 10:31
User Badges:
  • Green, 3000 points or more

To validate your RA tunnels I would start by looking at the tunnel group names with their respective IP local Pool network and compare what type of access they have in the nonat access lists..


for example:


assume you have a RA tunnel group called ratunnel

and a Ip local pool of 200.200.200.1-200.200.200.254 for the RA vpn users.


and you have inside network of 10.10.10.0/24 coming off your firewall inside interface where your inside resources are.


then look at your nonat access list as bellow , you can then say by looking at the nonat acl bellow that any RA vpn client using ratunnel group to connect to your corporate network have access to any host in 10.10.10.0/24 network. You would have to do this validation check for each of the nonat acls pertaining to any other tunnel group names you may have , and also any nonat acl pointing to any other interfaces in your firewall like DMZ interface etc..


access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 200.200.200.0 255.255.255.0


Also you may look at vpn filters that may be apply to particular VPN user for that tunnel.



Rgds

Jorge

Actions

This Discussion