Hello all
I am trying to restrict VPN access from a couple of subnets on a Cisco Router.
The following is the config I have put in but it still allows VPN to establish. Cisco AnyConnect is being used as a VPN Client
RTR# sh run | section ip access-list extended BlockVPN_CORP
ip access-list extended BlockVPN_CORP
deny udp 172.26.20.0 0.0.0.255 any eq isakmp non500-isakmp
deny udp 172.26.21.0 0.0.0.255 any eq isakmp non500-isakmp
deny tcp 172.26.20.0 0.0.0.255 any eq 500 4500
deny tcp 172.26.21.0 0.0.0.255 any eq 500 4500
deny udp any 172.26.20.0 0.0.0.255 eq isakmp non500-isakmp
deny udp any 172.26.21.0 0.0.0.255 eq isakmp non500-isakmp
deny tcp any 172.26.20.0 0.0.0.255 eq 500 4500
deny tcp any 172.26.21.0 0.0.0.255 eq 500 4500
permit ip any any
interface GigabitEthernet0/0.98
encapsulation dot1Q 98
ip access-group BlockVPN_CORP in
ip access-group BlockVPN_CORP out
Can you please advise where I am getting wrong?
Anyconnect may be using 443 to establish VPN. Try adding:
deny tcp any 172.26.20.0 0.0.0.255 eq 443
deny tcp any 172.26.21.0 0.0.0.255 eq 443
deny tcp 172.26.20.0 0.0.0.255 any eq 443
deny tcp 172.26.21.0 0.0.0.255 any eq 443
Obviously, the acl entries are just for example. You'll need to take into account where the vpn traffic is terminating and specify that host. For example:
deny tcp host <VPN host IP> 172.26.20.0 0.0.0.255 eq 443
deny tcp host <VPN host IP> 172.26.21.0 0.0.0.255 eq 443
deny tcp 172.26.20.0 0.0.0.255 host <VPN host IP> eq 443
deny tcp 172.26.21.0 0.0.0.255 host <VPN host IP> eq 443
If you don't, you'll block normal ssl traffic.
HTH,
John