cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


756
Views
0
Helpful
11
Replies
Highlighted
Beginner

How to do one-way access on ASA 5515 when users connect via cisco VPN Client

Hi!

The users have access to some servers through cisco vpn client. In ACL Manager I created the nesessary ACL and ACE and then I applied the ACL to the Group Policy for the users. The users now have access to some servers through cisco vpn client and the servers have the access back. Everything works fine, but now I need my computer to have access to the remote users while they are connected via cisco VPN Client and the users should not have access to my computer. I do not know how to do it. I did not applied NAT on the ASA, because ASA is for VPNs only. There is no need for NAT.

Help me please!!

Thank you!

11 REPLIES 11
Cisco Employee

How to do one-way access on ASA 5515 when users connect via cisc

On the ACL that you apply to the group policy, just configure the deny statement towards your computer ip address and you would need to apply the deny statement on the first line.

Beginner

How to do one-way access on ASA 5515 when users connect via cisc

That is my access list

access-list ACL_FOR_REMOTE_VPN_USERS extended permit ip object 10.1.5.9 object-group SERVERS

And then I apply this ACL to the Group Policy.

10.1.5.9 has an access to all the computers in the object-group SERVERS and vice-versa. When I delete an IP of my computer from the object-group SERVERS, 10.1.5.9 doesn't have access anymore and my computer doesn't have access to 10.1.5.9 either. I then add back my IP, two-way access appears. I then configure the deny statement towards my computer ip address from 10.1.5.9 and apply it on the first line. 10.1.5.9 doesn't have access again, that is OK, but my computer doesn't have access to 10.1.5.9 either.

Cisco Employee

How to do one-way access on ASA 5515 when users connect via cisc

What type of access do you require from your computer towards the client? RDP? SSH?

Beginner

How to do one-way access on ASA 5515 when users connect via cisc

RDP or RAdmin access

Cisco Employee

How to do one-way access on ASA 5515 when users connect via cisc

OK, then configure the following:

access-list ACL_FOR_REMOTE_VPN_USERS extended permit tcp object 10.1.5.9 eq 3389 host

Then take the ip address of your computer off from the object-group SERVERS

Beginner

How to do one-way access on ASA 5515 when users connect via cisc

This is an excerpt from Cisco Official VPN Cert Guide:

You can configure standard ACLs to either permit or deny access from

a remote user to an internal subnet or specific destination, or you can configure an

extended ACL to either permit or deny a remote user access to an internal resource

based on the source/destination/protocol/port parameters (depending on the level of

granularity you require for your rules).

You configure global ACLs using the ASDM by navigating to Configuration > Firewall

> Advanced > ACL Manager, and so on .........

I think this method works for remote users only and when I want to have an access to remote users I need other tactic.

Cisco Employee

How to do one-way access on ASA 5515 when users connect via cisc

Did my suggestion above not work?

Beginner

How to do one-way access on ASA 5515 when users connect via cisc

Just for simplicity I changed permit tcp .... eq 3389  for icmp and removed my IP from the object-group. And again I can ping the remote host and the remote host can ping me.

Cisco Employee

How to do one-way access on ASA 5515 when users connect via cisc

Well, icmp is different. You would need to specify echo-request or echo...

Pls try with tcp/3389

Beginner

How to do one-way access on ASA 5515 when users connect via cisc

I tried  tcp/3389. The remote user has RDP access to my computer, but I don't. I then changed tcp for ip. We both have an RDP access to each other. After changing back ip to tcp/3389, the remote user has RDP access to my computer and I don't have one.

Beginner

Re: How to do one-way access on ASA 5515 when users connect via

The solution is close. I need vice versa