07-11-2022 08:50 PM
Good evening, from a firewall perspective, which interface does the ASA consider an Anyconnect VPN client coming in on? Here is the situation, I have allowed restricted access from INSIDE to our DMZ based on source and destination IP addresses. Only 6 machines on the INSIDE should be able to talk to the machine in DMZ. This part is working fine. However remote access VPN clients on the same ASA have full access to the DMZ machine for some reason. I need to block this but can't figure out where to create the rule. I have already confirmed the traffic coming in from OUTSIDE does not have a rule allowing it to talk to the DMZ machine in question. I also have a global deny all.
Please advise.
Thank you
07-11-2022 09:09 PM
Most commonly AnyConnect and site-site VPNs are set to bypass interface ACLs with "sysopt connection permit-vpn" command. You may need to "show run all" to see this command as it is a hidden default.
There are at least two ways to restrict the AnyConnect clients even with that command enabled:
1. Only tunnel specified subnets to the clietn and exclude the DMZ subnet.
2. Add a vpn-filter for the client connections (e.g. good to use when you otherwise tunnel all traffic).
07-11-2022 11:38 PM
there are many ways,
first
VPN-filter "under group-policy"
https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html
second
no sysopt connection permit-vpn
then apply ACL in DMZ interface to deny traffic from VPN
and apply ACL in Inside interface to allow traffic from VPN
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide