Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
208
Views
0
Helpful
1
Replies

RA VPN security policy

ronshuster
Level 1
Level 1

‎11-11-2008 07:35 AM - edited ‎03-11-2019 07:11 AM

How do you check which resources\networks is a specific Remote Access VPN account is allowed to access on the network?

I am looking for the ASDM solution as well as CLI.

Thanks.

Labels:
0 Helpful
1 Reply 1

JORGE RODRIGUEZ
Level 10
Level 10

‎11-11-2008 10:31 AM

To validate your RA tunnels I would start by looking at the tunnel group names with their respective IP local Pool network and compare what type of access they have in the nonat access lists..

for example:

assume you have a RA tunnel group called ratunnel

and a Ip local pool of 200.200.200.1-200.200.200.254 for the RA vpn users.

and you have inside network of 10.10.10.0/24 coming off your firewall inside interface where your inside resources are.

then look at your nonat access list as bellow , you can then say by looking at the nonat acl bellow that any RA vpn client using ratunnel group to connect to your corporate network have access to any host in 10.10.10.0/24 network. You would have to do this validation check for each of the nonat acls pertaining to any other tunnel group names you may have , and also any nonat acl pointing to any other interfaces in your firewall like DMZ interface etc..

access-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 200.200.200.0 255.255.255.0

Also you may look at vpn filters that may be apply to particular VPN user for that tunnel.

Rgds

Jorge

Jorge Rodriguez
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card