Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACL for Client VPN issue

hello,

I'm setting up an ASA 5550 as a VPN concentrator, so clients connect to my Web Server in the inside of the ASA. all things seem worked properly ( Client can access the Server), the problem that I have is when I configure an ACL to authorize just the port 80 (http/www) and deny all other traffic,I note that the ACL doesn't work, I mean I still have full access to the server from the client.

this is the config that I did:

access-list inside_access_out extended permit tcp 10.20.0.0 255.255.255.0 192.168.200.100 eq www

access-list inside_access_out extended deny ip any any

access-group inside_access_out out interface inside

I tried also to do the following but I noted the same problem:

access-list inside_access_in extended permit tcp host 192.168.200.100 eq www 10.20.0.0 255.255.255.0

access-list inside_access_in extended deny ip any any

access-group inside_access_in in interface inside

Could someone help me to resolve this issue?

Best regards/.

Ismail

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: ACL for Client VPN issue

Where is the crypto map applied? Are you trying to filter inbound or outbound traffic?

By default, when the following command is enabled:

sysopt connection permit-vpn

VPN Traffic will bypass any configured rules on the interface that the crypto map is applied to.

I would suggest using VPN-filters:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

2 REPLIES
Bronze

Re: ACL for Client VPN issue

Where is the crypto map applied? Are you trying to filter inbound or outbound traffic?

By default, when the following command is enabled:

sysopt connection permit-vpn

VPN Traffic will bypass any configured rules on the interface that the crypto map is applied to.

I would suggest using VPN-filters:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

New Member

Re: ACL for Client VPN issue

thanks,

your post was extremely helpful for me.

129
Views
0
Helpful
2
Replies