Using ACL to restrict VPN access from a Subnet

Kaushik Ray · ‎09-29-2015

Hello all

I am trying to restrict VPN access from a couple of subnets on a Cisco Router.

The following is the config I have put in but it still allows VPN to establish. Cisco AnyConnect is being used as a VPN Client

RTR# sh run | section ip access-list extended BlockVPN_CORP
ip access-list extended BlockVPN_CORP
deny   udp 172.26.20.0 0.0.0.255 any eq isakmp non500-isakmp
deny   udp 172.26.21.0 0.0.0.255 any eq isakmp non500-isakmp
deny   tcp 172.26.20.0 0.0.0.255 any eq 500 4500
deny   tcp 172.26.21.0 0.0.0.255 any eq 500 4500
deny   udp any 172.26.20.0 0.0.0.255 eq isakmp non500-isakmp
deny   udp any 172.26.21.0 0.0.0.255 eq isakmp non500-isakmp
deny   tcp any 172.26.20.0 0.0.0.255 eq 500 4500
deny   tcp any 172.26.21.0 0.0.0.255 eq 500 4500
permit ip any any

interface GigabitEthernet0/0.98
encapsulation dot1Q 98
ip access-group BlockVPN_CORP in
ip access-group BlockVPN_CORP out

Can you please advise where I am getting wrong?

John Blakley · ‎09-29-2015

Anyconnect may be using 443 to establish VPN. Try adding:

deny tcp any 172.26.20.0 0.0.0.255 eq 443
deny tcp any 172.26.21.0 0.0.0.255 eq 443

deny tcp 172.26.20.0 0.0.0.255 any eq 443
deny tcp 172.26.21.0 0.0.0.255 any eq 443

Protocol	Cisco AnyConnect Client Port
TLS (SSL)	TCP 443
SSL Redirection	TCP 80 (optional)
DTLS	UDP 443 (optional, but highly recommended)
IPsec/IKEv2	UDP 500, UDP 4500

Obviously, the acl entries are just for example. You'll need to take into account where the vpn traffic is terminating and specify that host. For example:

deny tcp host <VPN host IP> 172.26.20.0 0.0.0.255 eq 443
deny tcp host <VPN host IP> 172.26.21.0 0.0.0.255 eq 443

deny tcp 172.26.20.0 0.0.0.255 host <VPN host IP> eq 443
deny tcp 172.26.21.0 0.0.0.255 host <VPN host IP> eq 443

If you don't, you'll block normal ssl traffic.

HTH,

John

HTH, John *** Please rate all useful posts ***