cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community will be experiencing a downtime on 17/Dec/18 02:20 AM GMT-0600 / 17-Dec 12 AM PST for 15 mins. Sorry for the inconvenience.

140
Views
0
Helpful
4
Replies
Beginner

Deny vpn user access to some internal networks

Can someone help me with an issue i'm trying to resolve.

I want to deny vpn users access to some of our internal networks that we are migrating to a new company.

 internal networks as defined

179.5.0.0   255.255.0.0

10.0.0.0    255.0.0.0

but now I need make certain subnets unreachable like 179.5.20.0/24   and 10.10.23.0/24  by vpn users.

 

4 REPLIES
RJI Collaborator
Collaborator

Re: Deny vpn user access to some internal networks

 Are you using an ASA firewall? What type of VPN, I assume Remote Access VPN using AnyConnect?

 

If ASA, you probably need to configure VPN Filter, example here.

Beginner

Re: Deny vpn user access to some internal networks

Yes i use ASA Firewall. An update to this is that we want to deny all vpn access to those networks not just anyconnect clients

VIP Advisor

Re: Deny vpn user access to some internal networks

Hi,

If you remove sysopt connection permit-vpn, all VPN traffic will be allowed/denied by your interface acls.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted
Hall of Fame Master

Re: Deny vpn user access to some internal networks

Each VPN type has an associated configuration that defines which networks are accessible.

 

SSL VPN (Anyconnect) uses an ACL that's called out under "tunnel-specified" in the group-policy section of the configuration.

 

Site-to-site VPNs use a different ACL that's called out in the cryptomap associated with a given remote peer.

 

Change the ACLs and you change the accessible networks.

CreatePlease to create content
Ask the Expert- DMVPN on Cisco routers