Cisco Anyconnect Firewall rules

elden25 — Sat, 28 Jan 2023 01:36:13 GMT

Hallo,

we're setting FPR with ASA Image for VPN remote access. The users will get private IP addresses that are routed in the local LAN, so no NAT in between. As far as I understand now, these IPs are reachable from anywhere in the LAN. How would I set firewall rules at the FPR such that these IPs cannot be reached? Are these Group Policy rules or can I just set them at Firewall -> Access rules, i.e.:

any -> 192.168.10.0/24: any deny

Re: Cisco Anyconnect Firewall rules

Marius Gunnerud — Sat, 28 Jan 2023 22:58:47 GMT

Regardless of if this is remote access or IPsec VPN, you can disable the access control policy bypass in which case you would need to create access rules on the interface that the VPN is terminated on (usually the outside interface). Doing this will allow you to limit what access the users at the remote site can access in your local LAN. To do this you need to un-check / un-select the Bypass Access Control Policy for decrypted traffic (sysopt permit-vpn) when setting up the VPN. It can also be disabled after setup if needed.

topic Cisco Anyconnect Firewall rules in Network Security

Cisco Anyconnect Firewall rules

Re: Cisco Anyconnect Firewall rules