09-07-2016 02:54 AM - edited 03-12-2019 01:14 AM
Hello, everybody!
I have ASA 5506 and VPN L2TP Server on it. Everything works fine.
My internal network is 10.0.0.0/24, VPN IPs scope is 10.0.0.160-10.0.0.230.
I have to limit all the access for VPN clients for internal resources, except RDP to two servers.
I've created two rules for VPN Clients in outside section:
1st - allow VPN clients scope access to servers on port tcp/3389
2nd - deny VPN clients scope access to any
The problem is regardless of my rules mentioned above, VPN clients have all the access to internal resouces.
I have tried to split internal range 10.0.0.0/24 in two scopes: 10.0.0.1-10.0.0.159 and 10.0.0.231.
The problem still exists. Please, take a look at screenshot provided.
Do you have any ideas how to solve the problem?
Many thanks in advance,
Ilya
Solved! Go to Solution.
09-07-2016 03:43 AM
Hello, please, uncheck the option in Connection profile "Bypass interface access list..." (see the attach). But be careful with the option. This may influence other VPN if you have them, for example Site-to-Site IPsec.
09-07-2016 03:22 AM
If you have applied this ACL on outside interface then it wil not work as traffic from outside comes to firewall in vpn encrypt form and then it get decrypt and goes to internal network better apply this rule on internal interface of firewall like inside interface in out direction.
09-07-2016 03:33 AM
Thaks for your reply, Pawan!
The problem is I've applied this rule to both outside and inside and there is no result. =(((
09-07-2016 03:39 AM
on inside interface direction must be out. (i.e. outbound). Dol ike to share inside interafce outbound acl
09-07-2016 04:20 AM
I'am sorry, what do you mean? "Outbound direction"...?
Please, explain it...
Many thanks to you!
09-07-2016 04:22 AM
Every interface has two direction in and out. Do you have any acl on inside interface out direction?
You can find that show run access-group
09-07-2016 05:16 AM
I've done as you told me. I'll check it in two hours and report my results.
Thank you.
09-07-2016 11:23 AM
By l2tp server do you mean this is an individual user using an l2tp client to create a vpn connection to the firewall or is it a site to site tunnel between two devices using l2tp?
If it is an individual user, then within the properties of the group policy assigned to the network client access profile you will apply an acl filter.
The named acl will be allow vpn address scope to servers on 3389
deny vpn address scope 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
permit vpn address scope any any.
If it is a site to site tunnel the acl is applied differently.
09-07-2016 03:43 AM
09-07-2016 03:47 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide