Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

how to deny internet access while connected VPN

Hello

I use my VPN client IPsec with Cisco VPN Client.

I have some groups on AD. I use LDAP Attribute Map to allow access by Group Policies

Well, I configure ACL Manager and Standard ACL for each group, allowing only Server and Service...

Group Policies: VPN_client (ASA reads clients from this group to allow access.

ACL Manager: nl-client

                                     Source                         Destination                    Service                    Action

                                   any                                  10.0.0.10                        tcp/3389               Permit

Standard ACL: nl-stan-client

                                   Address                         Action

                                       10.0.0.10                    Permit

These above are the configs I use... Everything works fine...

With this config, user can access the internet while connected on VPN

I want when user connected on VPN, only access 10.0.0.10 on tcp/3389 and deny access to the internet.

How can I do it?

Thansk

12 REPLIES

Re: how to deny internet access while connected VPN

Hi Diego,

All you need is to setup "split-tunnel-policy tunnelall" under the group-policy settings.

split-tunnel-policy

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s8.html#wp1560853

This will stop any traffic to the Internet, since the client will send it to the ASA.

Quoting:

"I want when user connected on VPN, only access 10.0.0.10 on tcp/3389 and deny access to the internet."

Let me know.

Please rate any post that you find useful.

Community Member

Re: how to deny internet access while connected VPN

Hi Diego,

This might help you...

access-list TEST permit tcp 10.0.0.10 255.255.255.255 eq 3389


group-policy TEST_POLICY internal
group-policy TEST_POLICY attributes
dns-server value x.x.x.x
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TEST

Regards,

MKD

Community Member

Re: how to deny internet access while connected VPN

Hi Guys,

Ty for answers..

Well, I use ASDM to config most of things... Anyway, I understood what I need to do.. So, I did:

Under Group Policy, Advanced, Split Tunneling, I had in Policy: Tunnel Network List Below and in Network List: nl-stan-client

I changed it to:

Policy: Tunnel All Network

Network List: Inherit

With this config, my vpn client can access 10.0.0.10 tcp/3389 (using my nl-client = Extended ACL)

And client cant access the Internet..

I think it OK...

Is result the same you were saying to me?

Re: how to deny internet access while connected VPN

Hi Diego,

Please check this out:

ASA 8.x : Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml

Instead of using "tunnelspecified" use "tunnelall".

Let me know.

Please rate any post that you find useful.

Community Member

Re: how to deny internet access while connected VPN

Diego, I have the opposite problem, my VPN users can access the internal network resources but not the Internet, can you tell me how was your nat setup, they need to access the Internet while connected to the VPN, I have tunnelall, when I change that the Internet works but the internal resource access does not. Thank you.

Sent from Cisco Technical Support iPad App

Re: how to deny internet access while connected VPN

Hi Olga,

May I know the code version of your ASA?

Thanks!

Community Member

Re: how to deny internet access while connected VPN

8.4(2)

Sent from Cisco Technical Support iPad App

Re: how to deny internet access while connected VPN

Thanks for the update

Do you want to access it the Internet through the ASA (while connected to the VPN with tunelall) or through the client's local network?

Thanks.

Community Member

Re: how to deny internet access while connected VPN

The users do not want to close the VPN connection to be able to access the internet.

Sent from Cisco Technical Support iPad App

Re: how to deny internet access while connected VPN

Dear Olga,

ASA 8.x : Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml

Please use  "tunnelspecified".

This is a complete example, including the NAT rules:

1- access-list SPLIT_ACL_AC permit 192.168.2.0 255.255.255.0

     group-policy Group-policy_VPN_Clients attributes

          split-tunnel-policy tunnelspecified

          split-tunnel-network-list value SPLIT_ACL_AC

2- ip local pool VPN_AC 192.168.1.1-192.168.1.254

3- object network obj-192.168.1.0_24 ----------> VPN pool

          subnet 192.168.1.0 255.255.255.0

4- object network obj-192.168.2.0_24 -------> Inside network

          subnet 192.168.2.0 255.255.255.0

5- nat (inside,outside) 1 source static obj-192.168.2.0_24 obj-192.168.2.0_24 destination static obj-192.168.1.0_24 obj-192.168.1.0_24 route-lookup -----> NAT to allow the VPN pool access the Inside.

Let me know if you have any questions.

Please rate any post you find useful.

Community Member

Re: how to deny internet access while connected VPN

Thank you Javier, I did have the split tunnel setup but my extended ACL did not have access from the pool addresses for the ipad to the internal network, I had and "Any" that was breaking the split. Once I added that rule the whole thing worked like a champ. I appreciate your help and response.

Sent from Cisco Technical Support iPad App

Re: how to deny internet access while connected VPN

Good news

It was very nice working with you.

Take care.

1312
Views
0
Helpful
12
Replies
CreatePlease to create content