10-08-2010 02:21 AM - edited 03-11-2019 11:52 AM
Hi,
This is my first post here so hope i get this right. Hope anyone else have played around with the built-in firewall in the AnyConnect client and have an idea how to configure it.
First of all, the setup:
It's an ASA-5520 running software 8.3.2 with AnyConnect 2.5.1025 on a Windows 7 client.
When the client PC connects, I want to push firewall rules to the built-in firewall in the AnyConnect client. My goal is to push rules that allow all traffic to the PCs local LAN, but blocks all incomming traffic to the PC. Traffic through the VPN interface should have no restrictions and uses split-tunneling. Allow Local LAN Access is enabled..
In the ASA, there are two access-lists that you can apply which push rules to the PC. There is a "Private network rule" and a "Public network rule". I want to leave the "Private network rule" to "None" but assign an access-list to the "Public network rule" which blocks all incomming traffic to the PC, but still allows all outbound traffic to the client PCs local LAN, except for the traffic that hits the split-tunnel network list and is routed into the VPN tunnel.
Does anyone have any suggestions on how to write the "Public network rule"-access-list?
In the old IPSEC client configuration you set an inbound and an outbound access-list. This is not possible anymore since i can only assign ONE access-list to the Public network rule.
Best regards,
Daniel
10-08-2010 08:43 AM
Daniel,
I'm a bit puzzled. Wouldn't doing downloadble ACLs be a solution for you?
ASA doesn't have inbound and outbound filter on crypto map, you can apply vpn-filter per-tunnel group or by using downloadable ACLs.
Marcin
10-09-2010 12:33 AM
Hello Marcin,
Thank you for your response. The access-list filter I am mentioning is pushed to the client PC. For linux clients it will be entered as iptable-rules and for windows it's entered into the windows firewall. The goal is to lockdown the connecting clients firewall for incomming traffic.
This was possible in the old IPSEC setup where you set a seperate inbound and outbound rule. Although in this new implementation of AnyConnect it is only possible to specify one access-list. What i can't figure out is how i can block all incomming traffic to the client PC while still allowing outbound traffic to the Local LAN?
The function is activated with the following command:
group-policy DfltGrpPolicy attributes
Best regards,
Daniel
10-09-2010 01:30 AM
Daniel,
Apologies, in fact I never played with IronPort integration I see feature has quite a few requirements
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/s8.html#wp1572564
And nothing in configuration guide ... awesome ;/
Also internally information is scarce , if you don't mind I'll dig into this on Monday. Maybe file a documentation bug.
Marcin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide