Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

block internet access for remote access vpn users

Currently we are allowing remote access vpn users access to the Internet, our setup is as follows:

group-policy VPN attributes
dns-server value 192.168.100.10

vpn-filter none
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split

!

access-list split standard permit 192.0.0.0 255.0.0.0

We need to change this setup such that remote access vpn users can still access the internal network (192.0.0.0 255.0.0.0) but NOT allow them Internet access, in other words everything should remain the same but we need Internet blocked.

what do we need to change on the group-policy?

3 REPLIES
Cisco Employee

Re: block internet access for remote access vpn users

1. You need to change this:

split-tunnel-policy tunnelspecified

to tunnel all traffic.

2. Apply vpn-filter option.

However in this case all traffic request for internet will go (and be dropped) by the ASA.

Community Member

Re: block internet access for remote access vpn users

You mean the following:

split-tunnel-policy tunnelall

vpn-filter none

what is the purpose of hte vpn-filter?

Do i need to specify a vpn-filter to block internet and allow internal access?

Cisco Employee

Re: block internet access for remote access vpn users

Long story short.

You can drop traffic via ACL with vpn-filter.

OR

You can make sure that traffic will not make a u-turn on the outside interface of ASA. (you need a seme-security-traffic permi intra-interface to allow u-turn)

If you need same-security command for some reason - you can remove NAT from outside-to-outside.

Paste more of the config - we'll be able to say more

644
Views
0
Helpful
3
Replies
CreatePlease to create content