Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Allow AnyConnect clients access to only a few servers while connected

We have 30 remote workers which we have recently acquired which are being set up with the AnyConnect client to connect to our head end ASA 5510. For security purposes, we have to allow them access to only 3 of our local internal servers, all on our 10.10.X.X/16 subnet. The remotes are being issued a 10.10.50.X/24 address via DHCP on the ASA when connecting. I thought this would be as simple as creating an access list but have not had any luck doing so. In addition, we need to allow them full access to servers in a datacenter connected to our same head end ASA via a site-to-site VPN while they are connected to us using AnyConnect. Any pointers would be appreciated.

ASA version 8.3

Thanks,

-Mike

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions

Allow AnyConnect clients access to only a few servers while conn

You have two choices. You can either apply the ACL as a split-tunnel ACL to a group policy:

access-list split_tunnel standard permit host 10.10.0.1

access-list split_tunnel standard permit host 10.10.0.2

access-list split_tunnel standard permit host 10.10.0.3

!

group-policy GROUP attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel

or you can apply ACL as a vpn-filter o a group-policy:

access-list filter_vendor standard permit host 10.10.0.1

access-list filter_vendor standard permit host 10.10.0.2

access-list filter_vendor standard permit host 10.10.0.3

!

group-policy GROUP attributes

vpn-filter value filter_vendor

Allow AnyConnect clients access to only a few servers while conn

Same concept should apply. You should be able to allow them with vpn-filter.

4 REPLIES

Allow AnyConnect clients access to only a few servers while conn

You have two choices. You can either apply the ACL as a split-tunnel ACL to a group policy:

access-list split_tunnel standard permit host 10.10.0.1

access-list split_tunnel standard permit host 10.10.0.2

access-list split_tunnel standard permit host 10.10.0.3

!

group-policy GROUP attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel

or you can apply ACL as a vpn-filter o a group-policy:

access-list filter_vendor standard permit host 10.10.0.1

access-list filter_vendor standard permit host 10.10.0.2

access-list filter_vendor standard permit host 10.10.0.3

!

group-policy GROUP attributes

vpn-filter value filter_vendor

New Member

Allow AnyConnect clients access to only a few servers while conn

Hi Roman. Thanks for the quick reply.

Actually, I had the following lines in the configuration, but I am still able to ping other servers in the 10.10.X.X/16 network which I did not specify in the split tunnel ACL. (MRT-Coder is the group, MRT-CODERS is the policy, and MRT-SPLIT is the ACL). The following is output of 'show run | inc MRT' command. Do you spot anything I might be missing, or should I just try the filter option?

access-list MRT-SPLIT standard permit host 10.10.1.45

access-list MRT-SPLIT standard permit host 10.10.1.52

access-list MRT-SPLIT standard permit host 10.10.1.224

ip local pool MRT-Coder 10.10.50.20-10.10.50.254 mask 255.255.255.0

group-policy MRT-CODERS internal

group-policy MRT-CODERS attributes

split-tunnel-network-list value MRT-SPLIT

tunnel-group MRT-Coder type remote-access

tunnel-group MRT-Coder general-attributes

address-pool MRT-Coder

default-group-policy MRT-CODERS

tunnel-group MRT-Coder webvpn-attributes

group-alias MRT-Coder enable

access-list MRT-SPLIT standard permit host 10.10.1.45

access-list MRT-SPLIT standard permit host 10.10.1.52

access-list MRT-SPLIT standard permit host 10.10.1.224

ip local pool MRT-Coder 10.10.50.20-10.10.50.254 mask 255.255.255.0

group-policy MRT-CODERS internal

group-policy MRT-CODERS attributes

split-tunnel-network-list value MRT-SPLIT

tunnel-group MRT-Coder type remote-access

tunnel-group MRT-Coder general-attributes

address-pool MRT-Coder

default-group-policy MRT-CODERS

tunnel-group MRT-Coder webvpn-attributes

group-alias MRT-Coder enable

New Member

Allow AnyConnect clients access to only a few servers while conn

Roman,

I spoke too soon, using the vpn-filter option worked perfectly. Now, for the second part of my question. Is that something you might be able to help out with?

Basically, I need to allow these same AnyConnect users full access to servers located in a datacenter which will be connected to us via a site-to-site VPN.

Thanks,

-Mike

Allow AnyConnect clients access to only a few servers while conn

Same concept should apply. You should be able to allow them with vpn-filter.

573
Views
0
Helpful
4
Replies