02-13-2010 06:05 AM - edited 02-21-2020 04:30 PM
Hi all,
I have terminated Remote access VPN in ASA 5510 version 8.2 firewall outside interface and I have kept all the servers in outside interface only.
I have binded ACL to restrict some servers, after binded the ACLin outside its not taking effect. Now after connected to the VP N all the users can access the servers.
I have enabled same security interface intra interface in firewall.
Pls help me..
02-13-2010 08:06 AM
Hi,
If you have ACLs restricting VPN traffic is not going to work by default because all VPN traffic is permitted regardless the ACLs.
There's a command on the ASA that is: sysopt connection permit-vpn
This commands tells the ASA to bypass the outside ACL when the traffic received is VPN.
So, to restrict VPN traffic you should remove this command and specify in the ACLs the traffic that you want to permit.
Hope this helps.
Federico.
02-13-2010 09:05 PM
Hi,
I have removed this command in firewall, but still after connected to the VPN i am able to access all the VPN.
one more thing: i have terminated the VPN in outside and binded the ACL in outside interface.
ASA(config)#no sysopt connection permit-vpn
Thanks,
Jayaram
02-14-2010 09:18 AM
Have you tried applied the ACL in the outbound direction on the outside interface?
In this way, the VPN traffic will terminate on the ASA, will be decrypted, and then will be routed out the same interface with the same security intra-interface command, but before the traffic is sent out should be checked by the ACL (if applied outbound on the outside interface).
Federico.
02-14-2010 10:46 PM
Yes federico, tried that option too.
Access-list outisde extended deny 10.3.25.0 255.255.255.0 any
10.3.25.0/24 is my pool range.
I have binded the above acl in the firewal, but no luck.
One doupt is there any thing we need to bind this acl in VPN config.
02-15-2010 11:24 AM
Let me try it because I'm pretty sure that it works....
Now, if you have a router behind the ASA, you can send the VPN traffic to that router and back to the ASA (so it will be checked by the ACLs on the ASA).
Federico.
02-15-2010 12:31 PM
Tried and it worked!
But its using the vpn-filter under the group-policy for the VPN client.
Please see this link:
Federico.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: