Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
673
Views
0
Helpful
1
Replies

Cisco Anyconnect Firewall rules

elden25
Level 1
Level 1

‎01-27-2023 05:36 PM

Hallo,

we're setting FPR with ASA Image for VPN remote access. The users will get private IP addresses that are routed in the local LAN, so no NAT in between. As far as I understand now, these IPs are reachable from anywhere in the LAN. How would I set firewall rules at the FPR such that these IPs cannot be reached? Are these Group Policy rules or can I just set them at Firewall -> Access rules, i.e.:

any -> 192.168.10.0/24: any deny

10.0.0.0.1 192.168.1.254
Labels:
0 Helpful
1 Reply 1

Marius Gunnerud
VIP
VIP

‎01-28-2023 02:58 PM

Regardless of if this is remote access or IPsec VPN, you can disable the access control policy bypass in which case you would need to create access rules on the interface that the VPN is terminated on (usually the outside interface).  Doing this will allow you to limit what access the users at the remote site can access in your local LAN.  To do this you need to un-check / un-select the Bypass Access Control Policy for decrypted traffic (sysopt permit-vpn) when setting up the VPN.  It can also be disabled after setup if needed.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card