block internet access for remote access vpn users

ronicisco770 · ‎05-25-2010

Currently we are allowing remote access vpn users access to the Internet, our setup is as follows:

group-policy VPN attributes
dns-server value 192.168.100.10

vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split

!

access-list split standard permit 192.0.0.0 255.0.0.0

We need to change this setup such that remote access vpn users can still access the internal network (192.0.0.0 255.0.0.0) but NOT allow them Internet access, in other words everything should remain the same but we need Internet blocked.

what do we need to change on the group-policy?

Marcin Latosiewicz · ‎05-25-2010

1. You need to change this:

split-tunnel-policy tunnelspecified

to tunnel all traffic.

2. Apply vpn-filter option.

However in this case all traffic request for internet will go (and be dropped) by the ASA.

ronicisco770 · ‎05-25-2010

You mean the following:

split-tunnel-policy tunnelall

vpn-filter none

what is the purpose of hte vpn-filter?

Do i need to specify a vpn-filter to block internet and allow internal access?

Marcin Latosiewicz · ‎05-25-2010

Long story short.

You can drop traffic via ACL with vpn-filter.

OR

You can make sure that traffic will not make a u-turn on the outside interface of ASA. (you need a seme-security-traffic permi intra-interface to allow u-turn)

If you need same-security command for some reason - you can remove NAT from outside-to-outside.

Paste more of the config - we'll be able to say more