ACL for Client VPN issue

Answered Question
Oct 7th, 2009
User Badges:

hello,


I'm setting up an ASA 5550 as a VPN concentrator, so clients connect to my Web Server in the inside of the ASA. all things seem worked properly ( Client can access the Server), the problem that I have is when I configure an ACL to authorize just the port 80 (http/www) and deny all other traffic,I note that the ACL doesn't work, I mean I still have full access to the server from the client.


this is the config that I did:


access-list inside_access_out extended permit tcp 10.20.0.0 255.255.255.0 192.168.200.100 eq www

access-list inside_access_out extended deny ip any any


access-group inside_access_out out interface inside


I tried also to do the following but I noted the same problem:


access-list inside_access_in extended permit tcp host 192.168.200.100 eq www 10.20.0.0 255.255.255.0

access-list inside_access_in extended deny ip any any


access-group inside_access_in in interface inside


Could someone help me to resolve this issue?


Best regards/.

Ismail



Correct Answer by Patrick0711 about 7 years 9 months ago

Where is the crypto map applied? Are you trying to filter inbound or outbound traffic?


By default, when the following command is enabled:


sysopt connection permit-vpn


VPN Traffic will bypass any configured rules on the interface that the crypto map is applied to.


I would suggest using VPN-filters:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Patrick0711 Wed, 10/07/2009 - 08:20
User Badges:
  • Bronze, 100 points or more

Where is the crypto map applied? Are you trying to filter inbound or outbound traffic?


By default, when the following command is enabled:


sysopt connection permit-vpn


VPN Traffic will bypass any configured rules on the interface that the crypto map is applied to.


I would suggest using VPN-filters:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Actions

This Discussion