Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access control for Client VPN on Cisco 5520

I am using the ASDM to setup client vpn's for users. At one point in the wizard you specify traffic thats exempt from NAT that your users can access. But there was no other controls on what protocols/ports they can access. My question is, where would I put the access rules? Would I put them on the inside interface incoming(on the security policy tab) or is there some place in the VPN tab(such as the group policy section) that I would allow/restrict specific ports/protocols? I would just use trial and error but there are active P2P VPN's on this box and last time I added a access rule for the inside interface incoming, it ended up breaking all the P2P VPN access. Any suggestions?

Thanks,

Jeff

1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Access control for Client VPN on Cisco 5520

I'm sure you know this but that will affect all traffic, not only vpn, so be sure to write your acl correctly, allow what you want from vpn client subnet, deny everything else from vpn client subnet, then allow everything else. You also have to do "no sysopt connection permit-ipsec/vpn" or the traffic will bypass the acl. good luck

oh and dont forget about your other vpn tunnels.

5 REPLIES
Green

Re: Access control for Client VPN on Cisco 5520

You can create a vpn-filter which is applied to a group policy with sysopt connection permit-ipsec. There is little documentation on it and it is very buggy, but is an option.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Or remove sysopt connection permit-ipsec and use your interface acls to restrict the traffic. For example add acl out interface inside.

New Member

Re: Access control for Client VPN on Cisco 5520

Sounds good...i'll give the outgoing interface inside access lists a try and let you know.

Thanks,

Jeff

Green

Re: Access control for Client VPN on Cisco 5520

I'm sure you know this but that will affect all traffic, not only vpn, so be sure to write your acl correctly, allow what you want from vpn client subnet, deny everything else from vpn client subnet, then allow everything else. You also have to do "no sysopt connection permit-ipsec/vpn" or the traffic will bypass the acl. good luck

oh and dont forget about your other vpn tunnels.

New Member

Re: Access control for Client VPN on Cisco 5520

ahhh I see...so when I do the "no sysopt connection permit-ipsec/vpn" command that will mean that ALL vpn traffic will not bypass the acl's and i'll need to create acl's for ALL existing vpn's or they will all break. Good point...i'm still getting used to the Cisco way of things(coming from ISA, bleh) so thanks for the heads up. I'll give the group policy access lists first as they seem to be specific to each tunnel group. Hopefully they work...if not, time to make alot of acl's :D

Thanks,

Jeff

Green

Re: Access control for Client VPN on Cisco 5520

If you did "no sysopt conn ..." you would also need to specifically allow isakmp, esp etc. in your outside acl.

If you only want to filter one specific vpn your acl's wouldn't be that long, mostly a bunch of permit ip any any from your existing vpn's you don't want to filter. But the vpn-filter is much slicker. You may have luck with it.

126
Views
5
Helpful
5
Replies