Filtering access for vpn clients

Ricky Sandhu · ‎07-11-2022

Good evening, from a firewall perspective, which interface does the ASA consider an Anyconnect VPN client coming in on? Here is the situation, I have allowed restricted access from INSIDE to our DMZ based on source and destination IP addresses. Only 6 machines on the INSIDE should be able to talk to the machine in DMZ. This part is working fine. However remote access VPN clients on the same ASA have full access to the DMZ machine for some reason. I need to block this but can't figure out where to create the rule. I have already confirmed the traffic coming in from OUTSIDE does not have a rule allowing it to talk to the DMZ machine in question. I also have a global deny all.

Please advise.

Thank you

Marvin Rhoads · ‎07-11-2022

Most commonly AnyConnect and site-site VPNs are set to bypass interface ACLs with "sysopt connection permit-vpn" command. You may need to "show run all" to see this command as it is a hidden default.

There are at least two ways to restrict the AnyConnect clients even with that command enabled:

1. Only tunnel specified subnets to the clietn and exclude the DMZ subnet.

2. Add a vpn-filter for the client connections (e.g. good to use when you otherwise tunnel all traffic).

MHM Cisco World · ‎07-11-2022

there are many ways,
first
VPN-filter "under group-policy"
https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

second
no sysopt connection permit-vpn
then apply ACL in DMZ interface to deny traffic from VPN
and apply ACL in Inside interface to allow traffic from VPN