Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

RA VPN security policy

How do you check which resources\networks is a specific Remote Access VPN account is allowed to access on the network?

I am looking for the ASDM solution as well as CLI.



Re: RA VPN security policy

To validate your RA tunnels I would start by looking at the tunnel group names with their respective IP local Pool network and compare what type of access they have in the nonat access lists..

for example:

assume you have a RA tunnel group called ratunnel

and a Ip local pool of for the RA vpn users.

and you have inside network of coming off your firewall inside interface where your inside resources are.

then look at your nonat access list as bellow , you can then say by looking at the nonat acl bellow that any RA vpn client using ratunnel group to connect to your corporate network have access to any host in network. You would have to do this validation check for each of the nonat acls pertaining to any other tunnel group names you may have , and also any nonat acl pointing to any other interfaces in your firewall like DMZ interface etc..

access-list inside_nat0_outbound extended permit ip

Also you may look at vpn filters that may be apply to particular VPN user for that tunnel.



CreatePlease to create content