cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
390
Views
4
Helpful
1
Replies
Kaushik Ray
Beginner

Using ACL to restrict VPN access from a Subnet

Hello all

 

I am trying to restrict VPN access from a couple of subnets on a Cisco Router.

 

The following is the config I have put in but it still allows VPN to establish. Cisco AnyConnect is being used as a VPN Client

RTR# sh run | section ip access-list extended BlockVPN_CORP
ip access-list extended BlockVPN_CORP
 deny   udp 172.26.20.0 0.0.0.255 any eq isakmp non500-isakmp
 deny   udp 172.26.21.0 0.0.0.255 any eq isakmp non500-isakmp
 deny   tcp 172.26.20.0 0.0.0.255 any eq 500 4500
 deny   tcp 172.26.21.0 0.0.0.255 any eq 500 4500
 deny   udp any 172.26.20.0 0.0.0.255 eq isakmp non500-isakmp
 deny   udp any 172.26.21.0 0.0.0.255 eq isakmp non500-isakmp
 deny   tcp any 172.26.20.0 0.0.0.255 eq 500 4500
 deny   tcp any 172.26.21.0 0.0.0.255 eq 500 4500
 permit ip any any

 

interface GigabitEthernet0/0.98
 encapsulation dot1Q 98
 ip access-group BlockVPN_CORP in
 ip access-group BlockVPN_CORP out

 

Can you please advise where I am getting wrong?

 

 

1 REPLY 1
John Blakley
Advisor

Anyconnect may be using 443 to establish VPN. Try adding:

deny   tcp any 172.26.20.0 0.0.0.255 eq 443
deny   tcp any 172.26.21.0 0.0.0.255 eq 443

deny   tcp 172.26.20.0 0.0.0.255 any eq 443
deny   tcp 172.26.21.0 0.0.0.255 any eq 443

Protocol
Cisco AnyConnect Client Port

TLS (SSL)

TCP 443

SSL Redirection

TCP 80 (optional)

DTLS

UDP 443 (optional, but highly recommended)

IPsec/IKEv2

UDP 500, UDP 4500

 

Obviously, the acl entries are just for example. You'll need to take into account where the vpn traffic is terminating and specify that host. For example:

deny   tcp host <VPN host IP> 172.26.20.0 0.0.0.255 eq 443
deny   tcp host <VPN host IP> 172.26.21.0 0.0.0.255 eq 443

deny   tcp 172.26.20.0 0.0.0.255 host <VPN host IP> eq 443
deny   tcp 172.26.21.0 0.0.0.255 host <VPN host IP> eq 443

If you don't, you'll block normal ssl traffic. 

HTH,

John

 

 

 

HTH, John *** Please rate all useful posts ***