12-20-2006 04:00 AM - edited 02-21-2020 02:46 PM
I'm currently configuring a Cisco ASA.
I have setup a IPSec VPN tunnel between a VPN Client and my ASA.
My VPN POOL addresses: 10.10.10.0/24
My LAN network: 192.168.0.0/24
After applying an access-list on my incoming inside traffic (inside_access_in) I can do anything through the tunnel (ICMP ping/RDP/access a share on the remote machine...)
Now I want to block all the traffic through the tunnel except RDP (tcp 3389) and ICMP.
My answer to this problem would be changing my inside incoming access-list (inside_access_in).
As a test I did the following:
access-list inside_access_in line 1 extended deny tcp 10.10.10.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 3389 (hitcnt=0) 0x94017c37
to block RDP traffic.
This doesn't work.
I tried almost the same with an IPSec rule... again, no luck.
My question is where to block traffic that goes through the IPSec tunnel.
12-20-2006 05:45 AM
You probably have "sysopt connection permit-ipsec" which allows tunnel traffic to bypass inspection from acl's.
Take a look at applying a vpn-filter acl on the remote access tunnel group.
12-20-2006 08:05 AM
I agree,applying a filter would help.
Restrict the Network Access of Remote Access VPN Users
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide