Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cannot block VPN user to reach a host (inside)?

Hi all,

I'm a newbie in ASA, here is my question

Currently the ASA is

- allowing VPN-89 to access INSIDE-88, the Internet and VPN-89 itself

- allowing VPN-81-Admin to Access INSIDE-88, the Internet and VPN-81-Admin itself

- this ASA has a static route to 10.10.10.0


Now i would like to add a rule to block the VPN-89 to recach the 10.10.10.179(UCCX), but it fails.

VPN-89 from outside still can connect to 10.10.10.179

> access-list outside_access_in extended deny ip object VPN-89 object UCCX

Anybody knows how to block the VPN-89 to reach the 10.10.10.179(UCCX)

Config has been attached

Thanks in advance

Sam

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Cannot block VPN user to reach a host (inside)?

Hi,

There is a default setting on the ASA which states that ANY traffic coming through a VPN connection will BYPASS any ACL you might have configured on the ASA "outside" interface.

The default setting is not visible with the "show run" command, But can be viewed for example with "show run all sysopt" The default setting is

sysopt connection permit-vpn

If you were to insert the following command

no sysopt connection permit-vpn

Then you would have to allow any traffic coming from the VPN in the "outside" interface ACL and you would be able to deny the traffic you need.

Other option is to configure VPN Filter ACL under the Group Policy of the connection to control the traffic. I personally prefer the first option that I mentioned.

Hope this helps

- Jouni

1 REPLY
Super Bronze

Cannot block VPN user to reach a host (inside)?

Hi,

There is a default setting on the ASA which states that ANY traffic coming through a VPN connection will BYPASS any ACL you might have configured on the ASA "outside" interface.

The default setting is not visible with the "show run" command, But can be viewed for example with "show run all sysopt" The default setting is

sysopt connection permit-vpn

If you were to insert the following command

no sysopt connection permit-vpn

Then you would have to allow any traffic coming from the VPN in the "outside" interface ACL and you would be able to deny the traffic you need.

Other option is to configure VPN Filter ACL under the Group Policy of the connection to control the traffic. I personally prefer the first option that I mentioned.

Hope this helps

- Jouni

160
Views
0
Helpful
1
Replies
CreatePlease to create content