Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Lock down AnyConnect VPN with extended access list

I am trying to lock down my AnyConnect VPN interface. I am using split tunneling. I only want it to tunnel http traffic to a an external http server we have, and ftp for another external server we have. I don't want anything else going through the tunnel or allowed anywhere else on our network. My current configuration I can connect to the vpn and ping the servers by external ip, but not by name. I can also not browse anywhere else while I am connected. It is not imperative for me to browse anywhere else while connected, but I do need it to only allow the access specified above.

Configuration:

group-policy Anyconnect attributes

vpn-tunnel-protocol svc webvpn

split-tunnel-policy tunnelspecified

split-tunnel-network-list value WebAccessVPN

webvpn

url-list none

svc ask enable default webvpn

access-list WebAccessVPN extended permit icmp any host FTP-EXT object-group Ping_and_Trace log disable

access-list WebAccessVPN remark FTP external FTP

access-list WebAccessVPN extended permit tcp any host FTP-EXT object-group DM_INLINE_TCP_2 log disable

access-list WebAccessVPN extended permit icmp any host LICENSING-EXT object-group Ping_and_Trace log disable

access-list WebAccessVPN extended permit object-group TCPUDP any host LICENSING-EXT eq www log disable

access-list WebAccessVPN extended deny ip any object-group DM_INLINE_NETWORK_1

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Lock down AnyConnect VPN with extended access list

You can use the vpn-filter under the group-policy attributes. In the vpn-filter you can reference the access-list you created.

2 REPLIES
Cisco Employee

Re: Lock down AnyConnect VPN with extended access list

You can use the vpn-filter under the group-policy attributes. In the vpn-filter you can reference the access-list you created.

New Member

Re: Lock down AnyConnect VPN with extended access list

thank you for the quick reply, I changed my split tunnel to a standard acl just referencing the external objects and applied the extended WebAccessVPN acl to the filter and it appears to be working correctly.

I really appreciate the quick fixes here!

2325
Views
0
Helpful
2
Replies
CreatePlease to create content