Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

AnyConnect and it's build in client firewall.

Hi,

This is my first post here so hope i get this right. Hope anyone else have played around with the built-in firewall in the AnyConnect client and have an idea how to configure it.

First of all, the setup:

     It's an ASA-5520 running software 8.3.2 with AnyConnect 2.5.1025 on a Windows 7 client.

When the client PC connects, I want to push firewall rules to the built-in firewall in the AnyConnect client. My goal is to push rules that allow all traffic to the PCs local LAN, but blocks all incomming traffic to the PC. Traffic through the VPN interface should have no restrictions and uses split-tunneling. Allow Local LAN Access is enabled..

In the ASA, there are two access-lists that you can apply which push rules to the PC. There is a "Private network rule" and a "Public network rule". I want to leave the "Private network rule" to "None" but assign an access-list to the "Public network rule" which blocks all incomming traffic to the PC, but still allows all outbound traffic to the client PCs local LAN, except for the traffic that hits the split-tunnel network list and is routed into the VPN tunnel.

Does anyone have any suggestions on how to write the "Public network rule"-access-list?

In the old IPSEC client configuration you set an inbound and an outbound access-list. This is not possible anymore since i can only assign ONE access-list to the Public network rule.

Best regards,

Daniel

3 REPLIES
Cisco Employee

Re: AnyConnect and it's build in client firewall.

Daniel,

I'm a bit puzzled. Wouldn't doing downloadble ACLs be a solution for you?


ASA doesn't have inbound and outbound filter on crypto map, you can apply vpn-filter per-tunnel group or by using downloadable ACLs.

Marcin

New Member

Re: AnyConnect and it's build in client firewall.

Hello Marcin,

Thank you for your response. The access-list filter I am mentioning is pushed to the client PC. For linux clients it will be entered as iptable-rules and for windows it's entered into the windows firewall. The goal is to lockdown the connecting clients firewall for incomming traffic.

This was possible in the old IPSEC setup where you set a seperate inbound and outbound rule. Although in this new implementation of AnyConnect it is only possible to specify one access-list. What i can't figure out is how i can block all incomming traffic to the client PC while still allowing outbound traffic to the Local LAN?

The function is activated with the following command:

     group-policy DfltGrpPolicy attributes

           webvpn
           svc firewall-rule client-interface public value ACL-CLIENT-FW-PUB
           svc firewall-rule client-interface private none

Best regards,

Daniel

Cisco Employee

Re: AnyConnect and it's build in client firewall.

Daniel,

Apologies, in fact I never played with IronPort integration I see feature has quite a few requirements

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/s8.html#wp1572564

And nothing in configuration guide ...  awesome ;/

Also internally information is scarce , if you don't mind I'll dig into this on Monday. Maybe file a documentation bug.

Marcin

3965
Views
0
Helpful
3
Replies
CreatePlease to create content