Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
324
Views
0
Helpful
1
Replies

Cannot block VPN user to reach a host (inside)?

Go to solution
samhopealpha
Level 1
Level 1

‎08-29-2013 02:28 AM - edited ‎03-11-2019 07:32 PM

Hi all,

I'm a newbie in ASA, here is my question

Currently the ASA is

- allowing VPN-89 to access INSIDE-88, the Internet and VPN-89 itself

- allowing VPN-81-Admin to Access INSIDE-88, the Internet and VPN-81-Admin itself

- this ASA has a static route to 10.10.10.0


Now i would like to add a rule to block the VPN-89 to recach the 10.10.10.179(UCCX), but it fails.

VPN-89 from outside still can connect to 10.10.10.179

> access-list outside_access_in extended deny ip object VPN-89 object UCCX

Anybody knows how to block the VPN-89 to reach the 10.10.10.179(UCCX)

Config has been attached

Thanks in advance

Sam

Labels:
15366510-asa config.log.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-29-2013 02:36 AM

Hi,

There is a default setting on the ASA which states that ANY traffic coming through a VPN connection will BYPASS any ACL you might have configured on the ASA "outside" interface.

The default setting is not visible with the "show run" command, But can be viewed for example with "show run all sysopt" The default setting is

sysopt connection permit-vpn

If you were to insert the following command

no sysopt connection permit-vpn

Then you would have to allow any traffic coming from the VPN in the "outside" interface ACL and you would be able to deny the traffic you need.

Other option is to configure VPN Filter ACL under the Group Policy of the connection to control the traffic. I personally prefer the first option that I mentioned.

Hope this helps

- Jouni

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-29-2013 02:36 AM

Hi,

There is a default setting on the ASA which states that ANY traffic coming through a VPN connection will BYPASS any ACL you might have configured on the ASA "outside" interface.

The default setting is not visible with the "show run" command, But can be viewed for example with "show run all sysopt" The default setting is

sysopt connection permit-vpn

If you were to insert the following command

no sysopt connection permit-vpn

Then you would have to allow any traffic coming from the VPN in the "outside" interface ACL and you would be able to deny the traffic you need.

Other option is to configure VPN Filter ACL under the Group Policy of the connection to control the traffic. I personally prefer the first option that I mentioned.

Hope this helps

- Jouni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card