Solved: AnyConnect VPN Filter on FPR on FMC

smailmilak · ‎12-23-2022

Hi,

I have this on ASA which allows an AnyConnect user to specific networks only.

username Samsung attributes
vpn-filter value ACL-VPN-Filter-Samsung
service-type remote-access

access-list ACL-VPN-Filter-Samsung extended permit ip any host 10.1.1.6
access-list ACL-VPN-Filter-Samsung extended deny ip any 10.0.0.0 255.0.0.0
access-list ACL-VPN-Filter-Samsung extended deny ip any 172.16.0.0 255.240.0.0
access-list ACL-VPN-Filter-Samsung extended deny ip any 192.168.0.0 255.255.0.0
access-list ACL-VPN-Filter-Samsung extended permit ip any any

How can I get this on FPR (Managed on cloud FMC)? I am using Azure SSO for authentication btw.

Rob Ingram · ‎12-23-2022

@smailmilak on-premise LDAP or AD.

View solution in original post

Rob Ingram · ‎12-23-2022

@smailmilak on FTD image you now permit/deny traffic using the normal Access Control policy, so you don't need to specify a VPN filter.

It is still possible to configure a VPN filter, this is located in the group policy configuration. I'd recommend just using the ACP to control the traffic.

smailmilak · ‎12-23-2022

Hi,

I need to have the users list on the FPR, but it is asking for "Identity Policy"?

Under Active Sessions I see my username as LOCAL/SMILAK (LDAP), and I was hoping that I can select this user under ACP and create a rule for this user.

Rob Ingram · ‎12-23-2022

@smailmilak then you certainly cannot use the VPN filter. You will need to use the ACP to filter on users. You need to create an identity realm (AD) to bring in the user AD group information etc. Then apply those in the ACP rules.

smailmilak · ‎12-23-2022

Ok, got it.
I assume that the Azure LDAP can't be used, but the on-site LDAP server?

Rob Ingram · ‎12-23-2022

@smailmilak on-premise LDAP or AD.

MHM Cisco World · ‎12-23-2022

Cisco Added the Remote Access "sysopt permit-vpn" GUI command in Firepower/FTD 6.3 code - Todd Lammle, LLC