Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
349
Views
0
Helpful
1
Replies

How to restrict the TCP and UDP services that are accessed by VPN client

dfariborz
Level 1
Level 1

‎06-26-2006 02:58 AM - edited ‎02-21-2020 02:29 PM

On ASA5520 appliance with v712, it seems impossible to implement two ACLs, one for TCP and one for UDP for the same "Group Policy". We have to use the same group for the VPN clients as they need both TCP and UDP services for their applications.

I've also read this configuration guide from Cisco: "Restrict the Network Access of Remote VPN Users", but there in the ACEs, only IP protocol is selected thus embracing both TCP and UDP.

Thank you

Labels:
0 Helpful
1 Reply 1

smahbub
Level 6
Level 6

‎06-30-2006 10:32 AM

Software versions 3.6 and later let a network administrator restrict the use of network extension mode. On the VPN Concentrator, you enable network extension mode for VPN 3002 hardware clients on a group basis.

If you disallow network extension mode, which is the default setting on the VPN Concentrator, the VPN 3002 can connect to that VPN Concentrator in PAT mode only. In this case, be careful that all VPN 3002s in the group are configured for PAT mode. If a VPN 3002 is configured to use network extension mode and the VPN Concentrator to which it connects disallows network extension mode, the VPN 3002 will attempt to connect every 4 seconds, and every attempt will be rejected; this is the equivalent of denial of service attack.

0 Helpful
Customers Also Viewed These Support Documents