11-30-2018 02:11 PM - edited 03-12-2019 05:32 AM
Can someone help me with an issue i'm trying to resolve.
I want to deny vpn users access to some of our internal networks that we are migrating to a new company.
internal networks as defined
179.5.0.0 255.255.0.0
10.0.0.0 255.0.0.0
but now I need make certain subnets unreachable like 179.5.20.0/24 and 10.10.23.0/24 by vpn users.
11-30-2018 02:18 PM
Are you using an ASA firewall? What type of VPN, I assume Remote Access VPN using AnyConnect?
If ASA, you probably need to configure VPN Filter, example here.
11-30-2018 02:32 PM
Yes i use ASA Firewall. An update to this is that we want to deny all vpn access to those networks not just anyconnect clients
11-30-2018 07:52 PM
11-30-2018 08:38 PM
Each VPN type has an associated configuration that defines which networks are accessible.
SSL VPN (Anyconnect) uses an ACL that's called out under "tunnel-specified" in the group-policy section of the configuration.
Site-to-site VPNs use a different ACL that's called out in the cryptomap associated with a given remote peer.
Change the ACLs and you change the accessible networks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: