The users have access to some servers through cisco vpn client. In ACL Manager I created the nesessary ACL and ACE and then I applied the ACL to the Group Policy for the users. The users now have access to some servers through cisco vpn client and the servers have the access back. Everything works fine, but now I need my computer to have access to the remote users while they are connected via cisco VPN Client and the users should not have access to my computer. I do not know how to do it. I did not applied NAT on the ASA, because ASA is for VPNs only. There is no need for NAT.
Help me please!!
On the ACL that you apply to the group policy, just configure the deny statement towards your computer ip address and you would need to apply the deny statement on the first line.
That is my access list
access-list ACL_FOR_REMOTE_VPN_USERS extended permit ip object 10.1.5.9 object-group SERVERS
And then I apply this ACL to the Group Policy.
10.1.5.9 has an access to all the computers in the object-group SERVERS and vice-versa. When I delete an IP of my computer from the object-group SERVERS, 10.1.5.9 doesn't have access anymore and my computer doesn't have access to 10.1.5.9 either. I then add back my IP, two-way access appears. I then configure the deny statement towards my computer ip address from 10.1.5.9 and apply it on the first line. 10.1.5.9 doesn't have access again, that is OK, but my computer doesn't have access to 10.1.5.9 either.
OK, then configure the following:
access-list ACL_FOR_REMOTE_VPN_USERS extended permit tcp object 10.1.5.9 eq 3389 host
Then take the ip address of your computer off from the object-group SERVERS
This is an excerpt from Cisco Official VPN Cert Guide:
You can configure standard ACLs to either permit or deny access from
a remote user to an internal subnet or specific destination, or you can configure an
extended ACL to either permit or deny a remote user access to an internal resource
based on the source/destination/protocol/port parameters (depending on the level of
granularity you require for your rules).
You configure global ACLs using the ASDM by navigating to Configuration > Firewall
> Advanced > ACL Manager, and so on .........
I think this method works for remote users only and when I want to have an access to remote users I need other tactic.
Just for simplicity I changed permit tcp .... eq 3389 for icmp and removed my IP from the object-group. And again I can ping the remote host and the remote host can ping me.
Well, icmp is different. You would need to specify echo-request or echo...
Pls try with tcp/3389
I tried tcp/3389. The remote user has RDP access to my computer, but I don't. I then changed tcp for ip. We both have an RDP access to each other. After changing back ip to tcp/3389, the remote user has RDP access to my computer and I don't have one.