cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2181
Views
15
Helpful
9
Replies

Deny access to VPN users to some internal resources on ASA

Ilya Semenov
Level 1
Level 1

Hello, everybody!

I have ASA 5506 and VPN L2TP Server on it. Everything works  fine.

My internal network is 10.0.0.0/24, VPN IPs scope is 10.0.0.160-10.0.0.230.

I have to limit all the access for VPN clients for internal resources, except RDP to two servers.

I've created two rules for VPN Clients in outside section:

1st - allow VPN clients scope access to servers on port tcp/3389

2nd - deny VPN clients scope access to any

The problem is regardless of my rules mentioned above, VPN clients have all the access to internal resouces.

I have tried to split internal range 10.0.0.0/24 in two scopes: 10.0.0.1-10.0.0.159 and 10.0.0.231.

The problem still exists. Please, take a look at screenshot provided.

Do you have any ideas how to solve the problem?

Many thanks in advance,

Ilya

1 Accepted Solution

Accepted Solutions

Boris Uskov
Level 4
Level 4

Hello, please, uncheck the option in Connection profile "Bypass interface access list..." (see the attach). But be careful with the option. This may influence other VPN if you have them, for example Site-to-Site IPsec.

View solution in original post

9 Replies 9

Pawan Raut
Level 4
Level 4

If you have applied this ACL on outside interface then it wil not work as traffic from outside comes to firewall in vpn encrypt form and then it get decrypt and goes to internal network better apply this rule on internal interface of firewall like inside interface in out direction.

Thaks for your reply, Pawan!

The problem is I've applied this rule to both outside and inside and there is no result. =(((

on inside interface direction must be out. (i.e. outbound). Dol ike to share inside interafce outbound acl

I'am sorry, what do you mean? "Outbound direction"...?

Please, explain it...

Many thanks to you!

Every interface has two direction in and out. Do you have any acl on inside interface out direction?

You can find that show run access-group

I've done as you told me. I'll check it in two hours and report my results.

Thank you.

By l2tp server do you mean this is an individual user using an l2tp client to create a vpn connection to the firewall or is it a site to site tunnel between two devices using l2tp?

If it is an individual user, then within the properties of the group policy assigned to the network client access profile you will apply an acl filter.

The named acl will be allow vpn address scope to servers on 3389

deny vpn address scope 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16

permit vpn address scope  any any.

If it is a site to site tunnel the acl is applied differently.

Boris Uskov
Level 4
Level 4

Hello, please, uncheck the option in Connection profile "Bypass interface access list..." (see the attach). But be careful with the option. This may influence other VPN if you have them, for example Site-to-Site IPsec.

Boris Uskov
Level 4
Level 4

Hello,

please, uncheck the option in Connection profile "Bypass interface access list..." (see the attach). But be careful with the option. This may influence other VPN if you have them, for example Site-to-Site IPsec.

Review Cisco Networking for a $25 gift card