topic Thaks for your reply, Pawan! in Network Security

Deny access to VPN users to some internal resources on ASA

Ilya Semenov — Tue, 12 Mar 2019 08:14:39 GMT

Hello, everybody!

I have ASA 5506 and VPN L2TP Server on it. Everything works fine.

My internal network is 10.0.0.0/24, VPN IPs scope is 10.0.0.160-10.0.0.230.

I have to limit all the access for VPN clients for internal resources, except RDP to two servers.

I've created two rules for VPN Clients in outside section:

1st - allow VPN clients scope access to servers on port tcp/3389

2nd - deny VPN clients scope access to any

The problem is regardless of my rules mentioned above, VPN clients have all the access to internal resouces.

I have tried to split internal range 10.0.0.0/24 in two scopes: 10.0.0.1-10.0.0.159 and 10.0.0.231.

The problem still exists. Please, take a look at screenshot provided.

Do you have any ideas how to solve the problem?

Many thanks in advance,

Ilya

If you have applied this ACL

Pawan Raut — Wed, 07 Sep 2016 10:22:07 GMT

If you have applied this ACL on outside interface then it wil not work as traffic from outside comes to firewall in vpn encrypt form and then it get decrypt and goes to internal network better apply this rule on internal interface of firewall like inside interface in out direction.

Thaks for your reply, Pawan!

Ilya Semenov — Wed, 07 Sep 2016 10:33:37 GMT

Thaks for your reply, Pawan!

The problem is I've applied this rule to both outside and inside and there is no result. =(((

on inside interface direction

Pawan Raut — Wed, 07 Sep 2016 10:39:22 GMT

on inside interface direction must be out. (i.e. outbound). Dol ike to share inside interafce outbound acl

Hello, please, uncheck the

Boris Uskov — Wed, 07 Sep 2016 10:43:32 GMT

Hello, please, uncheck the option in Connection profile "Bypass interface access list..." (see the attach). But be careful with the option. This may influence other VPN if you have them, for example Site-to-Site IPsec.

Hello,

Boris Uskov — Wed, 07 Sep 2016 10:47:24 GMT

Hello,

please, uncheck the option in Connection profile "Bypass interface access list..." (see the attach). But be careful with the option. This may influence other VPN if you have them, for example Site-to-Site IPsec.

I'am sorry, what do you mean?

Ilya Semenov — Wed, 07 Sep 2016 11:20:03 GMT

I'am sorry, what do you mean? "Outbound direction"...?

Please, explain it...

Many thanks to you!

Every interface has two

Pawan Raut — Wed, 07 Sep 2016 11:22:41 GMT

Every interface has two direction in and out. Do you have any acl on inside interface out direction?

You can find that show run access-group

I've done as you told me. I

Ilya Semenov — Wed, 07 Sep 2016 12:16:40 GMT

I've done as you told me. I'll check it in two hours and report my results.

Thank you.

By l2tp server do you mean

mrrlg — Wed, 07 Sep 2016 18:23:00 GMT

By l2tp server do you mean this is an individual user using an l2tp client to create a vpn connection to the firewall or is it a site to site tunnel between two devices using l2tp?

If it is an individual user, then within the properties of the group policy assigned to the network client access profile you will apply an acl filter.

The named acl will be allow vpn address scope to servers on 3389

deny vpn address scope 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

permit vpn address scope any any.

If it is a site to site tunnel the acl is applied differently.