block internet access for remote access vpn users

Unanswered Question
May 25th, 2010

Currently we are allowing remote access vpn users access to the Internet, our setup is as follows:

group-policy VPN attributes
dns-server value

vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split


access-list split standard permit

We need to change this setup such that remote access vpn users can still access the internal network ( but NOT allow them Internet access, in other words everything should remain the same but we need Internet blocked.

what do we need to change on the group-policy?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marcin Latosiewicz Tue, 05/25/2010 - 10:10

1. You need to change this:

split-tunnel-policy tunnelspecified

to tunnel all traffic.

2. Apply vpn-filter option.

However in this case all traffic request for internet will go (and be dropped) by the ASA.

ronicisco770 Tue, 05/25/2010 - 10:28

You mean the following:

split-tunnel-policy tunnelall

vpn-filter none

what is the purpose of hte vpn-filter?

Do i need to specify a vpn-filter to block internet and allow internal access?

Marcin Latosiewicz Tue, 05/25/2010 - 10:44

Long story short.

You can drop traffic via ACL with vpn-filter.


You can make sure that traffic will not make a u-turn on the outside interface of ASA. (you need a seme-security-traffic permi intra-interface to allow u-turn)

If you need same-security command for some reason - you can remove NAT from outside-to-outside.

Paste more of the config - we'll be able to say more


This Discussion