Remote VPN client allowed to specific protocol like RDP only

Answered Question
Jul 28th, 2009

Hi, is it possible to allow or limit the vpn clients to a specific protocol like RDP to the allowed network (internal)? Most of the samples in Cisco allows IP protocol on the access-list from the internat network to the IP pool which is then nated as Nat (0). I have tried to allow only RDP protocol in this access-list and it's not working.

Thanks.

Correct Answer by JORGE RODRIGUEZ about 7 years 6 months ago

Hi Rizaldy, unfortunately vpn-filter is not posible in 6.x codes , this feature was introduced in code 7.x and above. You would have to upgrade to code 7.x or above.

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/tz.html#wp1281154

On the other hand if you have a tunnel group already for vpn clients and you want to limit all that tunnel group to only rdp and nothing else you still can do it with your current code with an acl, not the permit ip but permit tcp and port tcp port number surce vpn network destination host.. but this strategy will apply to all RA users for that tunnel group.. not to practical..as suppose to using vpn-filters per user that allows more control over individual users on same tunnel group without affecting others.

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
r.gayagoy Wed, 07/29/2009 - 14:58

Thanks George for this link and it very helpful.

Is it possible on PIX version 6.3?

Regards

Correct Answer
JORGE RODRIGUEZ Wed, 07/29/2009 - 16:19

Hi Rizaldy, unfortunately vpn-filter is not posible in 6.x codes , this feature was introduced in code 7.x and above. You would have to upgrade to code 7.x or above.

http://www.cisco.com/en/US/docs/security/asa/asa70/command/reference/tz.html#wp1281154

On the other hand if you have a tunnel group already for vpn clients and you want to limit all that tunnel group to only rdp and nothing else you still can do it with your current code with an acl, not the permit ip but permit tcp and port tcp port number surce vpn network destination host.. but this strategy will apply to all RA users for that tunnel group.. not to practical..as suppose to using vpn-filters per user that allows more control over individual users on same tunnel group without affecting others.

Regards

Actions

This Discussion