Solved: blocking websites for offline ipsec vpn users

cornmarket · ‎10-19-2010

Hi,

We are using asa 5520's as our firewalls and our salespeople connect in over ipsec with vpn client v5. with our previous checkpoint firewalls and clients we could add a default policy which would be active while the client was not connected which would limit which websites the salespeople could visit while not connected to the firewall.

with our new cisco setup we are able to restrict what websites they visit while they are connected but once they disconnect from the firewall they have unrestricted access to the web. Is there a way to limit this to a list of predefined business related sites?

Thanks,

Sam

Federico Coto Fajardo · ‎10-29-2010

Sorry for the late response.

I don't think you can inject a customized firewall policy rule to the VPN client when they are not connected.

You can use the stateful always on firewall but you can't customize it as far as I'm aware.

Enforcing a proxy on the laptops as you describe might be a better solution.

Federico.

View solution in original post

Federico Coto Fajardo · ‎10-19-2010

Hi,

How do you restrict the websites the clients visit while they're connected?

Are you using the Firewall feature for VPN?

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/vpngrp.html#wp1182773

You can use the ASA to block access to specific websites using MPF.

Federico.

cornmarket · ‎10-19-2010

Hi Fredrico,

At the moment they are blocked from accessing non business related websites while connected because we have only specified the sites they are allowed access in the acl that has been applied to the ip pool the vpn clients use. however once they disconnect they can acess any sites.

(with the checkpoint vpn-1 client a default policy was pushed down from the server with the vpn policy. once the client disconnected from the vpn the default policy kicked in and would block them from accessing sites not specified in the policy.)

so at the moment the asa blocks anyone with an address in the vpn ip pool from accessing any website not in its acl. is there a way to push a policy to the cisco vpn client statefull firewall to do the same even when the client is not connected to the firewall?

(apologies if im using the wrong terminology here or if i'm missing something basic but i'm new to cisco firewalls )

Thanks,

Sam

cornmarket · ‎10-19-2010

Another thought has occured to me, is it possible to block them from accessing all web sites when they are not connected by enforcing a proxy on the laptops? this might work, basically its more important that they be blocked from non business sites when they are not connected to the vpn than to allow them access to business sites when they are not on the vpn.

Federico Coto Fajardo · ‎10-29-2010

Sorry for the late response.

I don't think you can inject a customized firewall policy rule to the VPN client when they are not connected.

You can use the stateful always on firewall but you can't customize it as far as I'm aware.

Enforcing a proxy on the laptops as you describe might be a better solution.

Federico.

cornmarket · ‎11-01-2010

No problem, In the end I just configured Symantec endpoint firewall which is already on the laptops in question to block all http exept for the allowed sites.

Thanks,

Sam