Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
387
Views
4
Helpful
1
Replies
Kaushik Ray
Beginner
Beginner
‎09-29-2015 07:21 AM
‎09-29-2015 07:21 AM

Using ACL to restrict VPN access from a Subnet

Hello all

 

I am trying to restrict VPN access from a couple of subnets on a Cisco Router.

 

The following is the config I have put in but it still allows VPN to establish. Cisco AnyConnect is being used as a VPN Client

RTR# sh run | section ip access-list extended BlockVPN_CORP
ip access-list extended BlockVPN_CORP
 deny   udp 172.26.20.0 0.0.0.255 any eq isakmp non500-isakmp
 deny   udp 172.26.21.0 0.0.0.255 any eq isakmp non500-isakmp
 deny   tcp 172.26.20.0 0.0.0.255 any eq 500 4500
 deny   tcp 172.26.21.0 0.0.0.255 any eq 500 4500
 deny   udp any 172.26.20.0 0.0.0.255 eq isakmp non500-isakmp
 deny   udp any 172.26.21.0 0.0.0.255 eq isakmp non500-isakmp
 deny   tcp any 172.26.20.0 0.0.0.255 eq 500 4500
 deny   tcp any 172.26.21.0 0.0.0.255 eq 500 4500
 permit ip any any

 

interface GigabitEthernet0/0.98
 encapsulation dot1Q 98
 ip access-group BlockVPN_CORP in
 ip access-group BlockVPN_CORP out

 

Can you please advise where I am getting wrong?

 

 

Labels:
0 Helpful
1 REPLY 1
John Blakley
Advisor
Advisor
‎09-29-2015 07:34 AM
‎09-29-2015 07:34 AM

Anyconnect may be using 443 to establish VPN. Try adding:

deny   tcp any 172.26.20.0 0.0.0.255 eq 443
deny   tcp any 172.26.21.0 0.0.0.255 eq 443

deny   tcp 172.26.20.0 0.0.0.255 any eq 443
deny   tcp 172.26.21.0 0.0.0.255 any eq 443

Protocol
Cisco AnyConnect Client Port

TLS (SSL)

TCP 443

SSL Redirection

TCP 80 (optional)

DTLS

UDP 443 (optional, but highly recommended)

IPsec/IKEv2

UDP 500, UDP 4500

 

Obviously, the acl entries are just for example. You'll need to take into account where the vpn traffic is terminating and specify that host. For example:

deny   tcp host <VPN host IP> 172.26.20.0 0.0.0.255 eq 443
deny   tcp host <VPN host IP> 172.26.21.0 0.0.0.255 eq 443

deny   tcp 172.26.20.0 0.0.0.255 host <VPN host IP> eq 443
deny   tcp 172.26.21.0 0.0.0.255 host <VPN host IP> eq 443

If you don't, you'll block normal ssl traffic. 

HTH,

John

 

 

 

HTH, John *** Please rate all useful posts ***
Latest Contents
Cisco Wants your Feedback on the Catalyst 2960-L!
Created by caiharve on 04-21-2021 04:27 PM
0
0
0
0
Review the Cisco Catalyst 2960-L Series Switches on TrustRadius and receive a $25 gift card!   
Cisco Wants your Feedback on the Catalyst 9300!
Created by caiharve on 04-21-2021 04:23 PM
0
0
0
0
Review the Cisco Catalyst 9300 Series Switches on TrustRadius and receive a $25 gift card!     
Cisco Wants your Feedback on the Catalyst 9500!
Created by caiharve on 04-21-2021 04:19 PM
0
0
0
0
Review the Cisco Catalyst 9500 Series Switches on TrustRadius and receive a $25 gift card!   
Cisco Wants your Feedback on the NX-OS!
Created by caiharve on 04-21-2021 03:50 PM
0
0
0
0
Review the Cisco NX-OS operating system on TrustRadius and receive a $25 gift card!     
Cisco DNA Software Demo Series - Cisco ThousandEyes
Created by gajewell on 04-20-2021 02:37 PM
0
0
0
0
Cisco DNA Software Demo Series - Cisco ThousandEyesRegister nowWednesday, May 12, 202110:00 am Pacific Daylight Time(San Francisco, GMT-07:00)SaaS applications and cloud-based services are increasingly critical for on-campus users, but they can be challen... view more
Content for Community-Ad