https://community.cisco.com/t5/network-security/how-to-block-internet-ip-for-vpn-client/m-p/1994946#M439968 <HTML><HEAD></HEAD><BODY><P>What do you mean by block internet IP from VPN Client? Do you mean that you do not wnat the VPN Client to access the Internet? Do you have split tunnel configured? If you do, then you will need to disable split tunnel, and configure VPN Filter to only allow specific access.</P></BODY></HTML> Thu, 05 Jul 2012 15:01:16 GMT Jennifer Halim 2012-07-05T15:01:16Z https://community.cisco.com/t5/network-security/how-to-block-internet-ip-for-vpn-client/m-p/1994945#M439966 <P>Hi all</P><P></P><P>I would like to block internet IP address from VPN client. I tried setup a rule by using ADSM, the rule was hitted but no blocked. Can you teach me how to do it?</P><P></P><P style="text-align: left;"><STRONG>Our ASA Platform:</STRONG></P><P style="text-align: left;">ASA Verison: 8.0(4)</P><P style="text-align: left;">ADSM Verison: 6.4(7)</P><P></P><P style="text-align: left;">Hugo</P> Mon, 11 Mar 2019 23:26:40 GMT https://community.cisco.com/t5/network-security/how-to-block-internet-ip-for-vpn-client/m-p/1994945#M439966 hugochengym 2019-03-11T23:26:40Z https://community.cisco.com/t5/network-security/how-to-block-internet-ip-for-vpn-client/m-p/1994946#M439968 <HTML><HEAD></HEAD><BODY><P>What do you mean by block internet IP from VPN Client? Do you mean that you do not wnat the VPN Client to access the Internet? Do you have split tunnel configured? If you do, then you will need to disable split tunnel, and configure VPN Filter to only allow specific access.</P></BODY></HTML> Thu, 05 Jul 2012 15:01:16 GMT https://community.cisco.com/t5/network-security/how-to-block-internet-ip-for-vpn-client/m-p/1994946#M439968 Jennifer Halim 2012-07-05T15:01:16Z https://community.cisco.com/t5/network-security/how-to-block-internet-ip-for-vpn-client/m-p/1994947#M439970 <HTML><HEAD></HEAD><BODY><P>Hi Hugo,</P><P></P><P>You have to find out dynamic-map associated with your remote-vpn client configuration on your ASA and apply "set reverse-route" and I have highlighted one below example for you.</P><P></P><P></P><P></P><P>crypto dynamic-map outside_dyn_map 20 <STRONG>set reverse-route</STRONG></P><P></P><P></P><P></P><P>thanks</P><P>Rizwan Rafeek</P></BODY></HTML> Fri, 06 Jul 2012 19:02:16 GMT https://community.cisco.com/t5/network-security/how-to-block-internet-ip-for-vpn-client/m-p/1994947#M439970 rizwanr74 2012-07-06T19:02:16Z https://community.cisco.com/t5/network-security/how-to-block-internet-ip-for-vpn-client/m-p/1994948#M439973 <HTML><HEAD></HEAD><BODY><P>Rizwan,</P><P></P><P>not quite sure why you ask Hugo to "set reverse-route" as he wants to block Internet from VPN Client.</P></BODY></HTML> Sat, 07 Jul 2012 03:13:46 GMT https://community.cisco.com/t5/network-security/how-to-block-internet-ip-for-vpn-client/m-p/1994948#M439973 Jennifer Halim 2012-07-07T03:13:46Z https://community.cisco.com/t5/network-security/how-to-block-internet-ip-for-vpn-client/m-p/1994949#M439975 <HTML><HEAD></HEAD><BODY><P>In the VPN ACL you need to have the specific rules alone and deny the rest.... Also you need to deny split tunneling if any......</P><P></P><P>Always we use to restrict by specifying the limited rules in VPN ACL. If you have split tunnel u need to disable it.... if they have split tunnel then the internet traffic will get routed locally for them....</P></BODY></HTML> Sat, 07 Jul 2012 17:56:32 GMT https://community.cisco.com/t5/network-security/how-to-block-internet-ip-for-vpn-client/m-p/1994949#M439975 nkarthikeyan 2012-07-07T17:56:32Z https://community.cisco.com/t5/network-security/how-to-block-internet-ip-for-vpn-client/m-p/1994950#M439977 <HTML><HEAD></HEAD><BODY><P>Hello Jennifer,</P><P></P><P>When firewall inject the default route on the VPN client computer and this newly added default-route have lower metric value and VPN-client’s pervious default-route will be set with higher metric value, as a result all traffic will fall into vpn tunnel interface on client computer and this method will cutoff illegitimate traffic, when vpn is established to a corporate network.</P><P>Those no-nat traffic will traverse inside corporate network and internet bound traffic can be dynamic-nat on the outside interface, if firewall administrator chooses to.</P><P></P><P>Hope that answers your question</P><P></P><P>Thanks</P><P>Rizwan Rafeek</P></BODY></HTML> Sun, 08 Jul 2012 01:06:35 GMT https://community.cisco.com/t5/network-security/how-to-block-internet-ip-for-vpn-client/m-p/1994950#M439977 rizwanr74 2012-07-08T01:06:35Z https://community.cisco.com/t5/network-security/how-to-block-internet-ip-for-vpn-client/m-p/1994951#M439981 <HTML><HEAD></HEAD><BODY><P>Yeah, but "set reverse-route" has nothing to do with what you have just explained.</P><P>"set reverse-route" will inject the VPN Client pool back into the internal dynamic routing protocol as a static route, and won't do anything on the vpn client side.</P></BODY></HTML> Sun, 08 Jul 2012 01:34:46 GMT https://community.cisco.com/t5/network-security/how-to-block-internet-ip-for-vpn-client/m-p/1994951#M439981 Jennifer Halim 2012-07-08T01:34:46Z