ASA8.0.5 and remote cisco vpn clients

Unanswered Question
Jun 1st, 2010

I want to create vpn for contractors limited to certain resources (ie a couple of internal servers). Not sure how to do this because if they have access via asa's acl to only specific internal servers, once they are on these servers, they can still initiate a rdp to other resources. I have to give rdp access. These contractors are authenticated to our microsof AD servers.

Thx

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Tue, 06/01/2010 - 21:30

Hi,

When you create a remote access IPsec VPN connection to the ASA, all traffic is permitted by default.

When you do the command ''sh run all sysopt'' you get ''sysopt connection permit-vpn'' and that means that all VPN traffic is going to pass through without being checked by the outside ACL.

There are some ways to restrict the VPN traffic through the tunnel

1. You can remove the sysopt ''no sysopt connection permit-vpn'' so only traffic that's allowed in the outside ACL is allowed in.

2. You can leave the sysopt and create ''vpn-filters'' under the group-policy for the tunnel-group of the remote access connection.

I'll recommend the option #2 so that you can specify exactly what you're going to allow through the tunnel.

If you're talking about the VPN user getting access to an inside server and from there being able to jump to other internal resources... well... that's out of the scope of the ASA's security features. The connection from an internal server to another internal server won't go through the ASA thus the ASA cannot protect it.

You can however define exactly just the traffic that's going to be allowed with the above vpn-filters.

Hope it helps.

Federico.

Actions

This Discussion