Cisco Support Community
Community Member

Where to filter IPSec/VPN traffic in ASA

I'm currently configuring a Cisco ASA.

I have setup a IPSec VPN tunnel between a VPN Client and my ASA.

My VPN POOL addresses:

My LAN network:

After applying an access-list on my incoming inside traffic (inside_access_in) I can do anything through the tunnel (ICMP ping/RDP/access a share on the remote machine...)

Now I want to block all the traffic through the tunnel except RDP (tcp 3389) and ICMP.

My answer to this problem would be changing my inside incoming access-list (inside_access_in).

As a test I did the following:

access-list inside_access_in line 1 extended deny tcp eq 3389 (hitcnt=0) 0x94017c37

to block RDP traffic.

This doesn't work.

I tried almost the same with an IPSec rule... again, no luck.

My question is where to block traffic that goes through the IPSec tunnel.

Community Member

Re: Where to filter IPSec/VPN traffic in ASA

You probably have "sysopt connection permit-ipsec" which allows tunnel traffic to bypass inspection from acl's.

Take a look at applying a vpn-filter acl on the remote access tunnel group.

Community Member

Re: Where to filter IPSec/VPN traffic in ASA

I agree,applying a filter would help.

Restrict the Network Access of Remote Access VPN Users

CreatePlease to create content