Showing results for 
Search instead for 
Did you mean: 


How to do one-way access on ASA 5515 when users connect via cisco VPN Client


The users have access to some servers through cisco vpn client. In ACL Manager I created the nesessary ACL and ACE and then I applied the ACL to the Group Policy for the users. The users now have access to some servers through cisco vpn client and the servers have the access back. Everything works fine, but now I need my computer to have access to the remote users while they are connected via cisco VPN Client and the users should not have access to my computer. I do not know how to do it. I did not applied NAT on the ASA, because ASA is for VPNs only. There is no need for NAT.

Help me please!!

Thank you!

Jennifer Halim
Cisco Employee

On the ACL that you apply to the group policy, just configure the deny statement towards your computer ip address and you would need to apply the deny statement on the first line.

That is my access list

access-list ACL_FOR_REMOTE_VPN_USERS extended permit ip object object-group SERVERS

And then I apply this ACL to the Group Policy. has an access to all the computers in the object-group SERVERS and vice-versa. When I delete an IP of my computer from the object-group SERVERS, doesn't have access anymore and my computer doesn't have access to either. I then add back my IP, two-way access appears. I then configure the deny statement towards my computer ip address from and apply it on the first line. doesn't have access again, that is OK, but my computer doesn't have access to either.

What type of access do you require from your computer towards the client? RDP? SSH?

RDP or RAdmin access

OK, then configure the following:

access-list ACL_FOR_REMOTE_VPN_USERS extended permit tcp object eq 3389 host

Then take the ip address of your computer off from the object-group SERVERS

This is an excerpt from Cisco Official VPN Cert Guide:

You can configure standard ACLs to either permit or deny access from

a remote user to an internal subnet or specific destination, or you can configure an

extended ACL to either permit or deny a remote user access to an internal resource

based on the source/destination/protocol/port parameters (depending on the level of

granularity you require for your rules).

You configure global ACLs using the ASDM by navigating to Configuration > Firewall

> Advanced > ACL Manager, and so on .........

I think this method works for remote users only and when I want to have an access to remote users I need other tactic.

Did my suggestion above not work?

Just for simplicity I changed permit tcp .... eq 3389  for icmp and removed my IP from the object-group. And again I can ping the remote host and the remote host can ping me.

Well, icmp is different. You would need to specify echo-request or echo...

Pls try with tcp/3389

I tried  tcp/3389. The remote user has RDP access to my computer, but I don't. I then changed tcp for ip. We both have an RDP access to each other. After changing back ip to tcp/3389, the remote user has RDP access to my computer and I don't have one.

The solution is close. I need vice versa

Recognize Your Peers
Content for Community-Ad