Solved: ssl vpn and acl to restrict access to inside network

mahesh18 · ‎04-21-2016

Hi everyone,

Users connect to ssl anyconnect vpn from outside network.

There is no ACL in firewall that restricts users from what they can access in the inside network.?

config has

sysopt connection permit-vpn

Routing shows

route inside 140.15.0.0 255.255.0.0 192.141.x.x
route inside 0.0.0.0 0.0.0.0 192.141.x.x tunneled

does this mean that vpn users are allowed to access everything in the network once they are connected?

Dinesh Moudgil · ‎04-21-2016

Hello Mahesh,

If you have "sysopt connection permit-vpn" command , then it bypasses the interface access-list to allow the users to access the resources.

With that being said, what it stands for is , you don't need to explicitly allow the addresses that are required to be accessible over VPN.

Now to access the resources, you need the correct access-list and natting (or nat exemption depending on the scenario). E.g. even if you have the permitted all the traffic for ssl vpn user, if the nat exemption is not present, the users will not be able to access the network behind ASA.

Additionally, we restrict what can be accessed from ssl vpn users via split-tunnel-policy. Default policy is tunnel-all and you can modify it to tunnel-specified to allow access of only specific subnets behind ASA.

In essence, even if you have sysopt command present, traffic might not be permitted if it is blocked on lan interface access-list.

Hope this helps.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

View solution in original post

Marius Gunnerud · ‎04-22-2016

Just to add to what Dinesh has already said, even though you are tunneling all traffic for AnyConnect you can use the VPN filter under group-policy to restrict access also.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Dinesh Moudgil · ‎04-21-2016

Hello Mahesh,

If you have "sysopt connection permit-vpn" command , then it bypasses the interface access-list to allow the users to access the resources.

With that being said, what it stands for is , you don't need to explicitly allow the addresses that are required to be accessible over VPN.

Now to access the resources, you need the correct access-list and natting (or nat exemption depending on the scenario). E.g. even if you have the permitted all the traffic for ssl vpn user, if the nat exemption is not present, the users will not be able to access the network behind ASA.

Additionally, we restrict what can be accessed from ssl vpn users via split-tunnel-policy. Default policy is tunnel-all and you can modify it to tunnel-specified to allow access of only specific subnets behind ASA.

In essence, even if you have sysopt command present, traffic might not be permitted if it is blocked on lan interface access-list.

Hope this helps.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

mahesh18 · ‎04-29-2016

Many thanks Dinesh.

Marius Gunnerud · ‎04-22-2016

Just to add to what Dinesh has already said, even though you are tunneling all traffic for AnyConnect you can use the VPN filter under group-policy to restrict access also.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts