cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

The vpn-filter command does not restrict access on a PIX Firewall/ASA running software version 7.x when used with Cisco IOS 12.x EZVPN clients

1219
Views
0
Helpful
0
Comments

Core issue

This issue is documented in Cisco bug ID CSCse96559.

This problem occurs when the vpn-filter command is applied to the group-policy for remote access IPSec clients on a PIX Firewall/Cisco Adaptive Security Appliance (ASA) running 7.2.1. This issue only affects Cisco IOS  EZVPN clients.

Resolution

As a workaround, perform these steps:

  1. Disable the sysopt connection permit-vpn command:

    hostname(config)# no sysopt connection permit-vpn

  2. Issue the access-group command in order to apply the Access Control List (ACL) to the outside interface:

    hostname(config) #access-group  <acl_out> in interface outside

    This allows the VPN users to go through the outside ACL before the internal network is accessed.