Limit RDP for VPN Clients

jennyjohn · ‎01-26-2010

When I give split-tunnel-network-list value nonat the Remote Access VPN work fine

But I have to block Remote Desktop access to Servers, 10.2.1.10, 10.2.1.12 & 10.2.1.13 (Only RDP to be blocked).

For the rest of the servers 10.2.1.20, 10.2.1.21, 10.2.1.22 & 10.2.1.25 users should have full access. When I apply split-tunnel-network-list value erpacl, the traffic is blocked. Seems to be an access-list issue.

Should I use vpn-filter value erpacl ??

Thanks in advance

access-list nonat extended permit ip host 10.1.2.20 172.28.10.0 255.255.255.0
access-list nonat extended permit ip host 10.1.2.21 172.28.10.0 255.255.255.0
access-list nonat extended permit ip host 10.1.2.22 172.28.10.0 255.255.255.0
access-list nonat extended permit ip host 10.1.2.25 172.28.10.0 255.255.255.0
access-list nonat extended permit tcp host 10.1.2.10 172.28.10.0 255.255.255.0
access-list nonat extended permit tcp host 10.1.2.12 172.28.10.0 255.255.255.0
access-list nonat extended permit tcp host 10.1.2.13 172.28.10.0 255.255.255.0
access-list erpacl extended permit ip host 10.1.2.20 172.28.10.0 255.255.255.0
access-list erpacl extended permit ip host 10.1.2.21 172.28.10.0 255.255.255.0
access-list erpacl extended permit ip host 10.1.2.22 172.28.10.0 255.255.255.0
access-list erpacl extended permit ip host 10.1.2.25 172.28.10.0 255.255.255.0
access-list erpacl extended deny tcp host 10.1.2.10 172.28.10.0 255.255.255.0 eq 3389
access-list erpacl extended deny tcp host 10.1.2.12 172.28.10.0 255.255.255.0 eq 3389
access-list erpacl extended deny tcp host 10.1.2.13 172.28.10.0 255.255.255.0 eq 3389
!
ip local pool erppool 172.28.10.1-172.28.10.10 mask 255.255.255.0
!
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
!
group-policy erpvpn internal
group-policy erpvpn attributes
dns-server value 10.1.2.10
vpn-simultaneous-logins 100
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value erpacl
default-domain value npsintl.com
!
tunnel-group ERP-VPN type ipsec-ra
tunnel-group ERP-VPN general-attributes
address-pool erppool
default-group-policy erpvpn
tunnel-group ERP-VPN ipsec-attributes
pre-shared-key *