Solved: ACL for Client VPN issue

i.ennassiri · ‎10-07-2009

hello,

I'm setting up an ASA 5550 as a VPN concentrator, so clients connect to my Web Server in the inside of the ASA. all things seem worked properly ( Client can access the Server), the problem that I have is when I configure an ACL to authorize just the port 80 (http/www) and deny all other traffic,I note that the ACL doesn't work, I mean I still have full access to the server from the client.

this is the config that I did:

access-list inside_access_out extended permit tcp 10.20.0.0 255.255.255.0 192.168.200.100 eq www

access-list inside_access_out extended deny ip any any

access-group inside_access_out out interface inside

I tried also to do the following but I noted the same problem:

access-list inside_access_in extended permit tcp host 192.168.200.100 eq www 10.20.0.0 255.255.255.0

access-list inside_access_in extended deny ip any any

access-group inside_access_in in interface inside

Could someone help me to resolve this issue?

Best regards/.

Ismail

Patrick0711 · ‎10-07-2009

Where is the crypto map applied? Are you trying to filter inbound or outbound traffic?

By default, when the following command is enabled:

sysopt connection permit-vpn

VPN Traffic will bypass any configured rules on the interface that the crypto map is applied to.

I would suggest using VPN-filters:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

View solution in original post

Patrick0711 · ‎10-07-2009