Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1309
Views
0
Helpful
1
Replies

Dynamic Access Policy (DAP) Network ACL on Cisco ASA issue

junajunction
Level 1
Level 1

‎12-06-2020 01:10 AM

Hi,

We have a requirement to configure Cisco Anyconnect clients with DAP. The users should be fully tunneled and have internet access through the company network also the users should only have access to limited resources inside the company network.

 

I tried to achieve this with the DAP ACL by tunneling all traffic through the vpn connection.

 

Users-->AnyConnect Client-->Remote VPN-->Split Tunnel All-->DAP (Match user)-->DAP Network ACL-->Allow specific resources internal for users -->Deny all other internal resources for users-->Allow internet traffic (ip any any)

 

I found Cisco document saying DAP ACL will not support permit and deny on the same policy. Hence the client is always getting denied to all internal traffic once the deny statements are inserted.

 

Any suggestions or work arounds are a welcome.

 

Thank you,

Arjun

Labels:
0 Helpful
1 Reply 1

Rob Ingram
VIP
VIP

‎12-06-2020 03:02 AM

@junajunction 

If you just want to restrict access then perhaps use a VPN Filter instead

 

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card