I'm setting up an ASA 5550 as a VPN concentrator, so clients connect to my Web Server in the inside of the ASA. all things seem worked properly ( Client can access the Server), the problem that I have is when I configure an ACL to authorize just the port 80 (http/www) and deny all other traffic,I note that the ACL doesn't work, I mean I still have full access to the server from the client.
this is the config that I did:
access-list inside_access_out extended permit tcp 10.20.0.0 255.255.255.0 192.168.200.100 eq www
access-list inside_access_out extended deny ip any any
access-group inside_access_out out interface inside
I tried also to do the following but I noted the same problem:
access-list inside_access_in extended permit tcp host 192.168.200.100 eq www 10.20.0.0 255.255.255.0
access-list inside_access_in extended deny ip any any
access-group inside_access_in in interface inside
Could someone help me to resolve this issue?
Where is the crypto map applied? Are you trying to filter inbound or outbound traffic?
By default, when the following command is enabled:
sysopt connection permit-vpn
VPN Traffic will bypass any configured rules on the interface that the crypto map is applied to.
I would suggest using VPN-filters: