Solved: Re: Block Outgoing VPN Access - Page 2

dlitteer · ‎08-09-2007

I need to prevent the ability of visitors who connect laptops into the network and access the Internet via VPN client software. I can block regular web browsing through our Websense server, but it does not block users who initiate VPN sessions from inside the network.

Thanks for any help.

rigoberto.cintron · ‎08-16-2007

Oops

Adam your absolutely right. I've been thinking too much in IP 50 lately. Dan I believe that nobody would mind if you post the config, at least I won't.

dlitteer · ‎08-16-2007

Thanks so much for helping with this. I've attached the config to help clarify. I know the only two acl's on it now are for the outside interfaces only

acomiskey · ‎08-16-2007

Dan,

The 2 acl's you currently have are not for the outside interface. One is for nat exemption and one is for split tunneling. These are for the vpn.

If you want to stop outbound vpn then use the acl config I posted above.

me19562 · ‎08-16-2007

You should move from conduits to ACL's

If you move to ACL's these should be what you need.

access-list access_outside_in extended permit tcp any host X.X.X.X eq 25

access-list access_outside_in extended permit tcp any host X.X.X.X eq 80

access-list access_outside_in extended permit tcp any host X.X.X.X eq 110

access-group access_outside_in in interface outside

access-list access_inside_in extended deny esp any any

access-list access_inside_in extended deny udp any any 500

access-list access_inside_in extended permit ip any any

access-group access_inside_in in interface inside

HTH

me19562 · ‎08-16-2007

And remember to removed the conduits.

e.g.

no conduit permit icmp any any

BTW I forgot the acl for ICMP

access-list access_outside_in extended permit icmp any any