ASA 5510 - Allow VNC Only to VPN'ed Client Machine

ringsidecreative · ‎03-09-2017

Here is our goal: In order to support offsite Mac workstations, we would like to create a single, shared VPN account that our users can use to log into VPN. However, we want to restrict this shared VPN account to allow only VNC traffic, so we can do screensharing with the Mac workstation. Is there any way of accomplishing this goal? Are there any suggestions of where I could start with this type of configuration? Thanks for any help you can offer.

Stuart D Fordham · ‎03-21-2017

Configure an access list to permit the VPN source network range (the IP ranges assigned to the client) to access the workstation over VNC

access-list VNC-Only extended permit tcp object-group VPN-Subnets object-group Mac-Workstation eq 5900.

Assign this to the access-policy:

dynamic-access-policy-record DfltAccessPolicy
network-acl VNC-Only

This will match all VPN traffic though - so maybe you'd want to create a new dynamic access policy to match on the AAA attribute cisco.grouppolicy = (name of shared VPN group).

(You will need to open more ports than just 5900 - so do it as a range, and obviously create the object group to match your requirements).