Is there a way to limit vpn client sessions based on the application ports? For example, I would like to give access to a vendor to a specific internal server but his access needs to be limited to FTP only. I can define the server access using a VPN network list but I'm not sure how to restrict further by using the port numbers.
I'm ruling out the VPN Filters since they need to be applied physically to an interface, affecting other users whose access are based on IP addresses.
I was wrong about using the filters. Filters can be applied to VPN groups to limit access down to the port level. The filters become complex when restrictions are numerous and the number of servers involved is large. Filters can not be applied to VPN users.
To answer your question of just limiting the access to a specific server, use split tunneling in conjunction with a network list. You include the internal server IP address in the network list.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...