03-13-2007 08:42 AM - edited 02-21-2020 02:55 PM
I am using the ASDM to setup client vpn's for users. At one point in the wizard you specify traffic thats exempt from NAT that your users can access. But there was no other controls on what protocols/ports they can access. My question is, where would I put the access rules? Would I put them on the inside interface incoming(on the security policy tab) or is there some place in the VPN tab(such as the group policy section) that I would allow/restrict specific ports/protocols? I would just use trial and error but there are active P2P VPN's on this box and last time I added a access rule for the inside interface incoming, it ended up breaking all the P2P VPN access. Any suggestions?
Thanks,
Jeff
Solved! Go to Solution.
03-13-2007 12:15 PM
I'm sure you know this but that will affect all traffic, not only vpn, so be sure to write your acl correctly, allow what you want from vpn client subnet, deny everything else from vpn client subnet, then allow everything else. You also have to do "no sysopt connection permit-ipsec/vpn" or the traffic will bypass the acl. good luck
oh and dont forget about your other vpn tunnels.
03-13-2007 08:54 AM
You can create a vpn-filter which is applied to a group policy with sysopt connection permit-ipsec. There is little documentation on it and it is very buggy, but is an option.
Or remove sysopt connection permit-ipsec and use your interface acls to restrict the traffic. For example add acl out interface inside.
03-13-2007 12:09 PM
Sounds good...i'll give the outgoing interface inside access lists a try and let you know.
Thanks,
Jeff
03-13-2007 12:15 PM
I'm sure you know this but that will affect all traffic, not only vpn, so be sure to write your acl correctly, allow what you want from vpn client subnet, deny everything else from vpn client subnet, then allow everything else. You also have to do "no sysopt connection permit-ipsec/vpn" or the traffic will bypass the acl. good luck
oh and dont forget about your other vpn tunnels.
03-13-2007 12:28 PM
ahhh I see...so when I do the "no sysopt connection permit-ipsec/vpn" command that will mean that ALL vpn traffic will not bypass the acl's and i'll need to create acl's for ALL existing vpn's or they will all break. Good point...i'm still getting used to the Cisco way of things(coming from ISA, bleh) so thanks for the heads up. I'll give the group policy access lists first as they seem to be specific to each tunnel group. Hopefully they work...if not, time to make alot of acl's :D
Thanks,
Jeff
03-13-2007 12:37 PM
If you did "no sysopt conn ..." you would also need to specifically allow isakmp, esp etc. in your outside acl.
If you only want to filter one specific vpn your acl's wouldn't be that long, mostly a bunch of permit ip any any from your existing vpn's you don't want to filter. But the vpn-filter is much slicker. You may have luck with it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide