Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2108
Views
5
Helpful
2
Replies

Anyconnect limited VPN access

Brendan Wood
Level 1
Level 1

‎10-03-2013 08:16 AM - edited ‎02-21-2020 07:12 PM

Hi,

I already have a VPN profile set up on my machine for full-access VPN connectivity into my LAN and DMZ.

I would need to set up another one, but I need it to have access only to certain machine/port combinations ONLY, for example;

Server1: Remote desktop

Server2: Jira (Port 7272)

Server2: TFS

Server3: SQL Server

And everything else blocked of course.

Just to set me in the right direction, what is the recommended method to go about this?

Thanks,

Brendan.

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎10-03-2013 08:34 AM

Hi,

Well I think there would be a few different basic options to approach this

If you are using local authentication on the ASA for the VPN user then you can actually use the same VPN you have configured for yourself but attach a VPN Filter ACL to the "username" configuration/attributes of the user that needs limited connectivity.

As a similiar option compared to the above you could actually leave out the VPN Filter ACL and change the ASA global setting that defines how connections incoming from VPN are handled. There is a setting called "sysopt connection permit-vpn" that is the default setting (doesnt show in the CLI configuration). This essentially means that any connection coming through a VPN Connection will bypass the VPN interface ACL. If you were to change this setting to "no sysopt connection permit-vpn" then ANY connection coming through VPN would require ACL rule in the VPN interfaces ACL. If you were to use local authentication or otherwise knew the IP address the user would get on VPN login you could then use the actual interface ACL to allow only the traffic it needs and for example allow all traffic for your own full access VPN.

You could ofcourse also configure a completely new VPN profile for these users and configure the VPN Filter for that whole group. This might in some sense be clearer setup when you have a VPN profile that is specifically used for your own purposes that allow full access while the other group is specifically meant for some external users perhaps.

Hopefully the above made any sense

- Jouni

0 Helpful

npokhriy
Level 1
Level 1

‎10-03-2013 10:34 AM

As mentioned by Jouni, the best option is to configure vpn-filters. This will not affect your other vpn traffic as well.

You can configure vpn filters on ASA as follows:-

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

HTH!!!

Regards,

Naresh

Customers Also Viewed These Support Documents