This is my first post here so hope i get this right. Hope anyone else have played around with the built-in firewall in the AnyConnect client and have an idea how to configure it.
First of all, the setup:
It's an ASA-5520 running software 8.3.2 with AnyConnect 2.5.1025 on a Windows 7 client.
When the client PC connects, I want to push firewall rules to the built-in firewall in the AnyConnect client. My goal is to push rules that allow all traffic to the PCs local LAN, but blocks all incomming traffic to the PC. Traffic through the VPN interface should have no restrictions and uses split-tunneling. Allow Local LAN Access is enabled..
In the ASA, there are two access-lists that you can apply which push rules to the PC. There is a "Private network rule" and a "Public network rule". I want to leave the "Private network rule" to "None" but assign an access-list to the "Public network rule" which blocks all incomming traffic to the PC, but still allows all outbound traffic to the client PCs local LAN, except for the traffic that hits the split-tunnel network list and is routed into the VPN tunnel.
Does anyone have any suggestions on how to write the "Public network rule"-access-list?
In the old IPSEC client configuration you set an inbound and an outbound access-list. This is not possible anymore since i can only assign ONE access-list to the Public network rule.
Thank you for your response. The access-list filter I am mentioning is pushed to the client PC. For linux clients it will be entered as iptable-rules and for windows it's entered into the windows firewall. The goal is to lockdown the connecting clients firewall for incomming traffic.
This was possible in the old IPSEC setup where you set a seperate inbound and outbound rule. Although in this new implementation of AnyConnect it is only possible to specify one access-list. What i can't figure out is how i can block all incomming traffic to the client PC while still allowing outbound traffic to the Local LAN?
The function is activated with the following command:
group-policy DfltGrpPolicy attributes
svc firewall-rule client-interface public value ACL-CLIENT-FW-PUB
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :