08-09-2007 07:49 AM - edited 03-11-2019 03:55 AM
I need to prevent the ability of visitors who connect laptops into the network and access the Internet via VPN client software. I can block regular web browsing through our Websense server, but it does not block users who initiate VPN sessions from inside the network.
Thanks for any help.
Solved! Go to Solution.
08-16-2007 12:20 PM
Oops
Adam your absolutely right. I've been thinking too much in IP 50 lately. Dan I believe that nobody would mind if you post the config, at least I won't.
08-16-2007 01:06 PM
08-16-2007 01:46 PM
Dan,
The 2 acl's you currently have are not for the outside interface. One is for nat exemption and one is for split tunneling. These are for the vpn.
If you want to stop outbound vpn then use the acl config I posted above.
08-16-2007 03:01 PM
You should move from conduits to ACL's
If you move to ACL's these should be what you need.
access-list access_outside_in extended permit tcp any host X.X.X.X eq 25
access-list access_outside_in extended permit tcp any host X.X.X.X eq 80
access-list access_outside_in extended permit tcp any host X.X.X.X eq 110
access-group access_outside_in in interface outside
access-list access_inside_in extended deny esp any any
access-list access_inside_in extended deny udp any any 500
access-list access_inside_in extended permit ip any any
access-group access_inside_in in interface inside
HTH
08-16-2007 03:03 PM
And remember to removed the conduits.
e.g.
no conduit permit icmp any any
BTW I forgot the acl for ICMP
access-list access_outside_in extended permit icmp any any
access-list access_outside_in extended permit tcp any host X.X.X.X eq 25
access-list access_outside_in extended permit tcp any host X.X.X.X eq 80
access-list access_outside_in extended permit tcp any host X.X.X.X eq 110
access-group access_outside_in in interface outside
access-list access_inside_in extended deny esp any any
access-list access_inside_in extended deny udp any any 500
access-list access_inside_in extended permit ip any any
access-group access_inside_in in interface inside
HTH
08-16-2007 05:46 PM
Stick your 'guest' users on their own vlan, and restrict everything but 80/443 or something like that. That'll solve lots of other security issues with 'guest' access too.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide