08-29-2013 02:28 AM - edited 03-11-2019 07:32 PM
Hi all,
I'm a newbie in ASA, here is my question
Currently the ASA is
- allowing VPN-89 to access INSIDE-88, the Internet and VPN-89 itself
- allowing VPN-81-Admin to Access INSIDE-88, the Internet and VPN-81-Admin itself
- this ASA has a static route to 10.10.10.0
Now i would like to add a rule to block the VPN-89 to recach the 10.10.10.179(UCCX), but it fails.
VPN-89 from outside still can connect to 10.10.10.179
> access-list outside_access_in extended deny ip object VPN-89 object UCCX
Anybody knows how to block the VPN-89 to reach the 10.10.10.179(UCCX)
Config has been attached
Thanks in advance
Sam
Solved! Go to Solution.
08-29-2013 02:36 AM
Hi,
There is a default setting on the ASA which states that ANY traffic coming through a VPN connection will BYPASS any ACL you might have configured on the ASA "outside" interface.
The default setting is not visible with the "show run" command, But can be viewed for example with "show run all sysopt" The default setting is
sysopt connection permit-vpn
If you were to insert the following command
no sysopt connection permit-vpn
Then you would have to allow any traffic coming from the VPN in the "outside" interface ACL and you would be able to deny the traffic you need.
Other option is to configure VPN Filter ACL under the Group Policy of the connection to control the traffic. I personally prefer the first option that I mentioned.
Hope this helps
- Jouni
08-29-2013 02:36 AM
Hi,
There is a default setting on the ASA which states that ANY traffic coming through a VPN connection will BYPASS any ACL you might have configured on the ASA "outside" interface.
The default setting is not visible with the "show run" command, But can be viewed for example with "show run all sysopt" The default setting is
sysopt connection permit-vpn
If you were to insert the following command
no sysopt connection permit-vpn
Then you would have to allow any traffic coming from the VPN in the "outside" interface ACL and you would be able to deny the traffic you need.
Other option is to configure VPN Filter ACL under the Group Policy of the connection to control the traffic. I personally prefer the first option that I mentioned.
Hope this helps
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide