05-25-2010 09:07 AM - edited 02-21-2020 04:40 PM
Currently we are allowing remote access vpn users access to the Internet, our setup is as follows:
group-policy VPN attributes
dns-server value 192.168.100.10
vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split
!
access-list split standard permit 192.0.0.0 255.0.0.0
We need to change this setup such that remote access vpn users can still access the internal network (192.0.0.0 255.0.0.0) but NOT allow them Internet access, in other words everything should remain the same but we need Internet blocked.
what do we need to change on the group-policy?
05-25-2010 10:10 AM
1. You need to change this:
split-tunnel-policy tunnelspecified
to tunnel all traffic.
2. Apply vpn-filter option.
However in this case all traffic request for internet will go (and be dropped) by the ASA.
05-25-2010 10:28 AM
You mean the following:
split-tunnel-policy tunnelall
vpn-filter none
what is the purpose of hte vpn-filter?
Do i need to specify a vpn-filter to block internet and allow internal access?
05-25-2010 10:44 AM
Long story short.
You can drop traffic via ACL with vpn-filter.
OR
You can make sure that traffic will not make a u-turn on the outside interface of ASA. (you need a seme-security-traffic permi intra-interface to allow u-turn)
If you need same-security command for some reason - you can remove NAT from outside-to-outside.
Paste more of the config - we'll be able to say more
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: