10-03-2013 08:16 AM - edited 02-21-2020 07:12 PM
Hi,
I already have a VPN profile set up on my machine for full-access VPN connectivity into my LAN and DMZ.
I would need to set up another one, but I need it to have access only to certain machine/port combinations ONLY, for example;
Server1: Remote desktop
Server2: Jira (Port 7272)
Server2: TFS
Server3: SQL Server
And everything else blocked of course.
Just to set me in the right direction, what is the recommended method to go about this?
Thanks,
Brendan.
10-03-2013 08:34 AM
Hi,
Well I think there would be a few different basic options to approach this
If you are using local authentication on the ASA for the VPN user then you can actually use the same VPN you have configured for yourself but attach a VPN Filter ACL to the "username" configuration/attributes of the user that needs limited connectivity.
As a similiar option compared to the above you could actually leave out the VPN Filter ACL and change the ASA global setting that defines how connections incoming from VPN are handled. There is a setting called "sysopt connection permit-vpn" that is the default setting (doesnt show in the CLI configuration). This essentially means that any connection coming through a VPN Connection will bypass the VPN interface ACL. If you were to change this setting to "no sysopt connection permit-vpn" then ANY connection coming through VPN would require ACL rule in the VPN interfaces ACL. If you were to use local authentication or otherwise knew the IP address the user would get on VPN login you could then use the actual interface ACL to allow only the traffic it needs and for example allow all traffic for your own full access VPN.
You could ofcourse also configure a completely new VPN profile for these users and configure the VPN Filter for that whole group. This might in some sense be clearer setup when you have a VPN profile that is specifically used for your own purposes that allow full access while the other group is specifically meant for some external users perhaps.
Hopefully the above made any sense
- Jouni
10-03-2013 10:34 AM
As mentioned by Jouni, the best option is to configure vpn-filters. This will not affect your other vpn traffic as well.
You can configure vpn filters on ASA as follows:-
HTH!!!
Regards,
Naresh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide