Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Anyconnect limited VPN access

Hi,

I already have a VPN profile set up on my machine for full-access VPN connectivity into my LAN and DMZ.

I would need to set up another one, but I need it to have access only to certain machine/port combinations ONLY, for example;

Server1: Remote desktop

Server2: Jira (Port 7272)

Server2: TFS

Server3: SQL Server

And everything else blocked of course.

Just to set me in the right direction, what is the recommended method to go about this?

Thanks,

Brendan.

2 REPLIES
Super Bronze

Anyconnect limited VPN access

Hi,

Well I think there would be a few different basic options to approach this

If you are using local authentication on the ASA for the VPN user then you can actually use the same VPN you have configured for yourself but attach a VPN Filter ACL to the "username" configuration/attributes of the user that needs limited connectivity.

As a similiar option compared to the above you could actually leave out the VPN Filter ACL and change the ASA global setting that defines how connections incoming from VPN are handled. There is a setting called "sysopt connection permit-vpn" that is the default setting (doesnt show in the CLI configuration). This essentially means that any connection coming through a VPN Connection will bypass the VPN interface ACL. If you were to change this setting to "no sysopt connection permit-vpn" then ANY connection coming through VPN would require ACL rule in the VPN interfaces ACL. If you were to use local authentication or otherwise knew the IP address the user would get on VPN login you could then use the actual interface ACL to allow only the traffic it needs and for example allow all traffic for your own full access VPN.

You could ofcourse also configure a completely new VPN profile for these users and configure the VPN Filter for that whole group. This might in some sense be clearer setup when you have a VPN profile that is specifically used for your own purposes that allow full access while the other group is specifically meant for some external users perhaps.

Hopefully the above made any sense

- Jouni

Silver

Anyconnect limited VPN access

As mentioned by Jouni, the best option is to configure vpn-filters. This will not affect your other vpn traffic as well.

You can configure vpn filters on ASA as follows:-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

HTH!!!

Regards,

Naresh

1114
Views
5
Helpful
2
Replies
CreatePlease to create content