I am using Cisco ASA 5510 as my organizations firewall which we have purchased days ago. I have created a IPSec Remote Access VPN with it. My Branch office is located in another city which i need to connect it through VPN.
I have configured my IPSec VPN on ASA with all policies which i need and at client end installed Cisco VPN Client SW. Now i can connect to my VPN Server (ASA) from my branch office. I am also getting an IP address from the POOL which i have allocated during setup of VPN.
Public IP configure on my ASA(outside) 188.8.131.52
Inside IP 10.10.4.11
My Local network is running on 10.10.x.x 255.255.0.0
VPN Client Pool is 10.10.21.1-10.10.21.15 255.255.255.240
I want to apply ACL on my VPN Traffic which i need to be restricted in a sense that i dont want my VPN users to access any resource on my headoffice except 2 web application and 1 SW application.
Initially, i can ping from head office to branch office and vice versa after VPN is connected with no ACL's configured.
Now my question is that in what way i need to apply ACL between my outside and inside users as i tried to apply ACL but still all my resources are available to 10.10.21.0 users.
Sysopt-connection permit ipsec is probably configured (by default, I think), which allows IPsec traffic to bypass the ACL. You could either remove that command, not necessarily recommended, or if you are doing nat 0 for the VPN traffic, just change the ACL for that to only bypass nat for the addresses you want to allow users to access.
Remember, if you remove "sysopt connection permit ipsec", you'll have to specifically allow access to any service you want VPN users to access.
Also, based on the ACL 101 you posted, users will not be able to access anything; you don't have any permit statements.
You should probably also edit your post and remove your public IP address.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :