Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to restrict the TCP and UDP services that are accessed by VPN client

On ASA5520 appliance with v712, it seems impossible to implement two ACLs, one for TCP and one for UDP for the same "Group Policy". We have to use the same group for the VPN clients as they need both TCP and UDP services for their applications.

I've also read this configuration guide from Cisco: "Restrict the Network Access of Remote VPN Users", but there in the ACEs, only IP protocol is selected thus embracing both TCP and UDP.

Thank you


Re: How to restrict the TCP and UDP services that are accessed b

Software versions 3.6 and later let a network administrator restrict the use of network extension mode. On the VPN Concentrator, you enable network extension mode for VPN 3002 hardware clients on a group basis.

If you disallow network extension mode, which is the default setting on the VPN Concentrator, the VPN 3002 can connect to that VPN Concentrator in PAT mode only. In this case, be careful that all VPN 3002s in the group are configured for PAT mode. If a VPN 3002 is configured to use network extension mode and the VPN Concentrator to which it connects disallows network extension mode, the VPN 3002 will attempt to connect every 4 seconds, and every attempt will be rejected; this is the equivalent of denial of service attack.

CreatePlease login to create content