cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
770
Views
0
Helpful
6
Replies

Remote access vpn issue in ASA Firewall.

Hi all,

I have terminated Remote access VPN in ASA 5510  version 8.2 firewall outside interface and I have kept all the servers in outside interface only.

I have binded ACL to restrict some servers, after binded the ACLin outside its not taking effect. Now after connected to the VP N all the users can access the servers.

I have enabled same security interface intra interface in firewall.

Pls help me..

6 Replies 6

Hi,

If you have ACLs restricting VPN traffic is not going to work by default because all VPN traffic is permitted regardless the ACLs.

There's a command on the ASA that is:  sysopt connection permit-vpn

This commands tells the ASA to bypass the outside ACL when the traffic received is VPN.

So, to restrict VPN traffic you should remove this command and specify in the ACLs the traffic that you want to permit.

Hope this helps.

Federico.

Hi,

I have removed this command in firewall, but still after connected to the VPN i am able to access all the VPN.

one more thing: i have terminated the VPN in outside and binded the ACL in outside interface.

ASA(config)#no sysopt connection permit-vpn

Thanks,

Jayaram

Have you tried applied the ACL in the outbound direction on the outside interface?

In this way, the VPN traffic will terminate on the ASA, will be decrypted, and then will be routed out the same interface with the same security intra-interface command, but before the traffic is sent out should be checked by the ACL (if applied outbound on the outside interface).

Federico.

Yes federico, tried that option too.

Access-list outisde extended deny 10.3.25.0 255.255.255.0 any

10.3.25.0/24 is my pool range.

I have binded the above acl in the firewal, but no luck.

One doupt is there any thing we need to bind this acl in VPN config.

Let me try it because I'm pretty sure that it works....

Now, if you have a router behind the ASA, you can send the VPN traffic to that router and back to the ASA (so it will be checked by the ACLs on the ASA).

Federico.

Tried and it worked!

But its using the vpn-filter under the group-policy for the VPN client.

Please see this link:

http://www.ciscosystems.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: