Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
466
Views
0
Helpful
5
Replies

Applying Access rules to Remote Access VPN

kmcdonald1973
Level 1
Level 1

‎09-15-2010 08:54 AM - edited ‎02-21-2020 04:50 PM

Hello all. I have just configured a new RA VPN Group. When connected, users are able to connect to any resources I have defined in Group Policy\Split Tunneling.

However, I would like to restrict this VPN Group to access just a few resources such as RDP on a few servers and ssh on a few switches. How do I accomplish this? I have tried putting some rules in the rulebase but they do not seem to be restricting this traffic.

Thanks

Labels:
0 Helpful
5 Replies 5

praprama
Cisco Employee
Cisco Employee

‎09-15-2010 09:07 AM

Hi Kevin,

We can use vpn-filters for this purpose:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/vpngrp.html#wp1134794

For example, if your VPN pool is 10.1.1.0/24 and inside netowrk is 10.1.2.0/24 to which you want to allow access only on TCP port 22, the access-list fpr VPN filter will be as below:

access-list VPN permit tcp 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0 eq ssh

This will then have to specified under the group-policy as the vpn-filter. let me know if this helps.

Regards,

Prapanch

0 Helpful

kmcdonald1973
Level 1
Level 1
In response to praprama

‎09-15-2010 09:16 AM

Thanks for your reply Prapanch,

So I take it there is now way to view or edit these vpn-filters from ASDM? Also, is there a way to attach these vpn-filters to the group-policy via the ASDM?

Thanks,

Kevin

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to kmcdonald1973

‎09-15-2010 09:31 AM

Hi Kevin,

You can do the same using ASDM as well. On the ASDM, go to the group-policies section and select the group-policy you have specified for your remote access users. Then press "Edit". Once here, you should see an option saying VPN filter or IPv4Filter or something like that. You can click the "Manage" buttong there and then either using an existing ACL or create a new one as required.

I am not sure of the ASDM version you are using so don't know the exacty terms but the path should be the same irrespective of the ASDM version.

Hope this helps!

Regards,

Prapanch

0 Helpful

kmcdonald1973
Level 1
Level 1
In response to praprama

‎09-15-2010 10:53 AM

Hi Prapanch,

Ok, I see it now. I hadnt hit the "More Options" button. This is my first ASA VPN config as I have always used Checkpoint so thanks for directing me to the right place.

Thanks,

Kevin

0 Helpful

praprama
Cisco Employee
Cisco Employee
In response to kmcdonald1973

‎09-15-2010 05:21 PM

Hey Kevin,

Glad that i could be of help. Please mark this as Answered if all is resolved.

Regards,

Prapanch

0 Helpful
Customers Also Viewed These Support Documents