Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1554
Views
0
Helpful
2
Replies

Where to filter IPSec/VPN traffic in ASA

foreignmediagroup
Level 1
Level 1

‎12-20-2006 04:00 AM - edited ‎02-21-2020 02:46 PM

I'm currently configuring a Cisco ASA.

I have setup a IPSec VPN tunnel between a VPN Client and my ASA.

My VPN POOL addresses: 10.10.10.0/24

My LAN network: 192.168.0.0/24

After applying an access-list on my incoming inside traffic (inside_access_in) I can do anything through the tunnel (ICMP ping/RDP/access a share on the remote machine...)

Now I want to block all the traffic through the tunnel except RDP (tcp 3389) and ICMP.

My answer to this problem would be changing my inside incoming access-list (inside_access_in).

As a test I did the following:

access-list inside_access_in line 1 extended deny tcp 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 3389 (hitcnt=0) 0x94017c37

to block RDP traffic.

This doesn't work.

I tried almost the same with an IPSec rule... again, no luck.

My question is where to block traffic that goes through the IPSec tunnel.

Labels:
0 Helpful
2 Replies 2

t-heeter
Level 1
Level 1

‎12-20-2006 05:45 AM

You probably have "sysopt connection permit-ipsec" which allows tunnel traffic to bypass inspection from acl's.

Take a look at applying a vpn-filter acl on the remote access tunnel group.

0 Helpful

sharacha
Level 1
Level 1

‎12-20-2006 08:05 AM

I agree,applying a filter would help.

Restrict the Network Access of Remote Access VPN Users

http://cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

0 Helpful
Customers Also Viewed These Support Documents