ACL for Client VPN issue

Answered Question
Oct 7th, 2009

hello,

I'm setting up an ASA 5550 as a VPN concentrator, so clients connect to my Web Server in the inside of the ASA. all things seem worked properly ( Client can access the Server), the problem that I have is when I configure an ACL to authorize just the port 80 (http/www) and deny all other traffic,I note that the ACL doesn't work, I mean I still have full access to the server from the client.

this is the config that I did:

access-list inside_access_out extended permit tcp 10.20.0.0 255.255.255.0 192.168.200.100 eq www

access-list inside_access_out extended deny ip any any

access-group inside_access_out out interface inside

I tried also to do the following but I noted the same problem:

access-list inside_access_in extended permit tcp host 192.168.200.100 eq www 10.20.0.0 255.255.255.0

access-list inside_access_in extended deny ip any any

access-group inside_access_in in interface inside

Could someone help me to resolve this issue?

Best regards/.

Ismail

I have this problem too.
0 votes
Correct Answer by Patrick0711 about 7 years 2 months ago

Where is the crypto map applied? Are you trying to filter inbound or outbound traffic?

By default, when the following command is enabled:

sysopt connection permit-vpn

VPN Traffic will bypass any configured rules on the interface that the crypto map is applied to.

I would suggest using VPN-filters:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Patrick0711 Wed, 10/07/2009 - 08:20

Where is the crypto map applied? Are you trying to filter inbound or outbound traffic?

By default, when the following command is enabled:

sysopt connection permit-vpn

VPN Traffic will bypass any configured rules on the interface that the crypto map is applied to.

I would suggest using VPN-filters:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Actions

This Discussion