How to do one-way access on ASA 5515 when users connect via cisc

panfyoric40 · ‎10-15-2012

Hi!

The users have access to some servers through cisco vpn client. In ACL Manager I created the nesessary ACL and ACE and then I applied the ACL to the Group Policy for the users. The users now have access to some servers through cisco vpn client and the servers have the access back. Everything works fine, but now I need my computer to have access to the remote users while they are connected via cisco VPN Client and the users should not have access to my computer. I do not know how to do it. I did not applied NAT on the ASA, because ASA is for VPNs only. There is no need for NAT.

Help me please!!

Thank you!

Jennifer Halim · ‎10-15-2012

On the ACL that you apply to the group policy, just configure the deny statement towards your computer ip address and you would need to apply the deny statement on the first line.

panfyoric40 · ‎10-15-2012

That is my access list

access-list ACL_FOR_REMOTE_VPN_USERS extended permit ip object 10.1.5.9 object-group SERVERS

And then I apply this ACL to the Group Policy.

10.1.5.9 has an access to all the computers in the object-group SERVERS and vice-versa. When I delete an IP of my computer from the object-group SERVERS, 10.1.5.9 doesn't have access anymore and my computer doesn't have access to 10.1.5.9 either. I then add back my IP, two-way access appears. I then configure the deny statement towards my computer ip address from 10.1.5.9 and apply it on the first line. 10.1.5.9 doesn't have access again, that is OK, but my computer doesn't have access to 10.1.5.9 either.

Jennifer Halim · ‎10-15-2012

What type of access do you require from your computer towards the client? RDP? SSH?

panfyoric40 · ‎10-15-2012

RDP or RAdmin access

Jennifer Halim · ‎10-15-2012

OK, then configure the following:

access-list ACL_FOR_REMOTE_VPN_USERS extended permit tcp object 10.1.5.9 eq 3389 host

Then take the ip address of your computer off from the object-group SERVERS

panfyoric40 · ‎10-15-2012

This is an excerpt from Cisco Official VPN Cert Guide:

You can configure standard ACLs to either permit or deny access from

a remote user to an internal subnet or specific destination, or you can configure an

extended ACL to either permit or deny a remote user access to an internal resource

based on the source/destination/protocol/port parameters (depending on the level of

granularity you require for your rules).

You configure global ACLs using the ASDM by navigating to Configuration > Firewall

> Advanced > ACL Manager, and so on .........

I think this method works for remote users only and when I want to have an access to remote users I need other tactic.

Jennifer Halim · ‎10-15-2012

Did my suggestion above not work?

panfyoric40 · ‎10-15-2012

Just for simplicity I changed permit tcp .... eq 3389 for icmp and removed my IP from the object-group. And again I can ping the remote host and the remote host can ping me.

Jennifer Halim · ‎10-15-2012

Well, icmp is different. You would need to specify echo-request or echo...

Pls try with tcp/3389

panfyoric40 · ‎10-15-2012

I tried tcp/3389. The remote user has RDP access to my computer, but I don't. I then changed tcp for ip. We both have an RDP access to each other. After changing back ip to tcp/3389, the remote user has RDP access to my computer and I don't have one.

panfyoric40 · ‎10-15-2012

The solution is close. I need vice versa

How to do one-way access on ASA 5515 when users connect via cisco VPN Client