Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5911
Views
0
Helpful
3
Replies

AnyConnect and it's build in client firewall.

Daniel Kaberger
Level 1
Level 1

‎10-08-2010 02:21 AM - edited ‎03-11-2019 11:52 AM

Hi,

This is my first post here so hope i get this right. Hope anyone else have played around with the built-in firewall in the AnyConnect client and have an idea how to configure it.

First of all, the setup:

     It's an ASA-5520 running software 8.3.2 with AnyConnect 2.5.1025 on a Windows 7 client.

When the client PC connects, I want to push firewall rules to the built-in firewall in the AnyConnect client. My goal is to push rules that allow all traffic to the PCs local LAN, but blocks all incomming traffic to the PC. Traffic through the VPN interface should have no restrictions and uses split-tunneling. Allow Local LAN Access is enabled..

In the ASA, there are two access-lists that you can apply which push rules to the PC. There is a "Private network rule" and a "Public network rule". I want to leave the "Private network rule" to "None" but assign an access-list to the "Public network rule" which blocks all incomming traffic to the PC, but still allows all outbound traffic to the client PCs local LAN, except for the traffic that hits the split-tunnel network list and is routed into the VPN tunnel.

Does anyone have any suggestions on how to write the "Public network rule"-access-list?

In the old IPSEC client configuration you set an inbound and an outbound access-list. This is not possible anymore since i can only assign ONE access-list to the Public network rule.

Best regards,

Daniel

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎10-08-2010 08:43 AM

Daniel,

I'm a bit puzzled. Wouldn't doing downloadble ACLs be a solution for you?


ASA doesn't have inbound and outbound filter on crypto map, you can apply vpn-filter per-tunnel group or by using downloadable ACLs.

Marcin

0 Helpful

Daniel Kaberger
Level 1
Level 1
In response to Marcin Latosiewicz

‎10-09-2010 12:33 AM

Hello Marcin,

Thank you for your response. The access-list filter I am mentioning is pushed to the client PC. For linux clients it will be entered as iptable-rules and for windows it's entered into the windows firewall. The goal is to lockdown the connecting clients firewall for incomming traffic.

This was possible in the old IPSEC setup where you set a seperate inbound and outbound rule. Although in this new implementation of AnyConnect it is only possible to specify one access-list. What i can't figure out is how i can block all incomming traffic to the client PC while still allowing outbound traffic to the Local LAN?

The function is activated with the following command:

     group-policy DfltGrpPolicy attributes

           webvpn
           svc firewall-rule client-interface public value ACL-CLIENT-FW-PUB
           svc firewall-rule client-interface private none

Best regards,

Daniel

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Daniel Kaberger

‎10-09-2010 01:30 AM

Daniel,

Apologies, in fact I never played with IronPort integration I see feature has quite a few requirements

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/s8.html#wp1572564

And nothing in configuration guide ...  awesome ;/

Also internally information is scarce , if you don't mind I'll dig into this on Monday. Maybe file a documentation bug.

Marcin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card