Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2073
Views
0
Helpful
4
Replies

Allow AnyConnect clients access to only a few servers while connected

Go to solution
Michael Marzol
Level 1
Level 1

‎03-20-2012 06:07 AM - edited ‎02-21-2020 05:57 PM

We have 30 remote workers which we have recently acquired which are being set up with the AnyConnect client to connect to our head end ASA 5510. For security purposes, we have to allow them access to only 3 of our local internal servers, all on our 10.10.X.X/16 subnet. The remotes are being issued a 10.10.50.X/24 address via DHCP on the ASA when connecting. I thought this would be as simple as creating an access list but have not had any luck doing so. In addition, we need to allow them full access to servers in a datacenter connected to our same head end ASA via a site-to-site VPN while they are connected to us using AnyConnect. Any pointers would be appreciated.

ASA version 8.3

Thanks,

-Mike

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Roman Rodichev
Level 7
Level 7

‎03-20-2012 06:12 AM

You have two choices. You can either apply the ACL as a split-tunnel ACL to a group policy:

access-list split_tunnel standard permit host 10.10.0.1

access-list split_tunnel standard permit host 10.10.0.2

access-list split_tunnel standard permit host 10.10.0.3

!

group-policy GROUP attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel

or you can apply ACL as a vpn-filter o a group-policy:

access-list filter_vendor standard permit host 10.10.0.1

access-list filter_vendor standard permit host 10.10.0.2

access-list filter_vendor standard permit host 10.10.0.3

!

group-policy GROUP attributes

vpn-filter value filter_vendor

View solution in original post

0 Helpful

Go to solution
Roman Rodichev
Level 7
Level 7
In response to Michael Marzol

‎03-21-2012 09:19 PM

Same concept should apply. You should be able to allow them with vpn-filter.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Roman Rodichev
Level 7
Level 7

‎03-20-2012 06:12 AM

You have two choices. You can either apply the ACL as a split-tunnel ACL to a group policy:

access-list split_tunnel standard permit host 10.10.0.1

access-list split_tunnel standard permit host 10.10.0.2

access-list split_tunnel standard permit host 10.10.0.3

!

group-policy GROUP attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel

or you can apply ACL as a vpn-filter o a group-policy:

access-list filter_vendor standard permit host 10.10.0.1

access-list filter_vendor standard permit host 10.10.0.2

access-list filter_vendor standard permit host 10.10.0.3

!

group-policy GROUP attributes

vpn-filter value filter_vendor

0 Helpful

Go to solution
Michael Marzol
Level 1
Level 1
In response to Roman Rodichev

‎03-20-2012 06:29 AM

Hi Roman. Thanks for the quick reply.

Actually, I had the following lines in the configuration, but I am still able to ping other servers in the 10.10.X.X/16 network which I did not specify in the split tunnel ACL. (MRT-Coder is the group, MRT-CODERS is the policy, and MRT-SPLIT is the ACL). The following is output of 'show run | inc MRT' command. Do you spot anything I might be missing, or should I just try the filter option?

access-list MRT-SPLIT standard permit host 10.10.1.45

access-list MRT-SPLIT standard permit host 10.10.1.52

access-list MRT-SPLIT standard permit host 10.10.1.224

ip local pool MRT-Coder 10.10.50.20-10.10.50.254 mask 255.255.255.0

group-policy MRT-CODERS internal

group-policy MRT-CODERS attributes

split-tunnel-network-list value MRT-SPLIT

tunnel-group MRT-Coder type remote-access

tunnel-group MRT-Coder general-attributes

address-pool MRT-Coder

default-group-policy MRT-CODERS

tunnel-group MRT-Coder webvpn-attributes

group-alias MRT-Coder enable

access-list MRT-SPLIT standard permit host 10.10.1.45

access-list MRT-SPLIT standard permit host 10.10.1.52

access-list MRT-SPLIT standard permit host 10.10.1.224

ip local pool MRT-Coder 10.10.50.20-10.10.50.254 mask 255.255.255.0

group-policy MRT-CODERS internal

group-policy MRT-CODERS attributes

split-tunnel-network-list value MRT-SPLIT

tunnel-group MRT-Coder type remote-access

tunnel-group MRT-Coder general-attributes

address-pool MRT-Coder

default-group-policy MRT-CODERS

tunnel-group MRT-Coder webvpn-attributes

group-alias MRT-Coder enable

0 Helpful

Go to solution
Michael Marzol
Level 1
Level 1
In response to Roman Rodichev

‎03-20-2012 06:48 AM

Roman,

I spoke too soon, using the vpn-filter option worked perfectly. Now, for the second part of my question. Is that something you might be able to help out with?

Basically, I need to allow these same AnyConnect users full access to servers located in a datacenter which will be connected to us via a site-to-site VPN.

Thanks,

-Mike

0 Helpful

Go to solution
Roman Rodichev
Level 7
Level 7
In response to Michael Marzol

‎03-21-2012 09:19 PM

Same concept should apply. You should be able to allow them with vpn-filter.

0 Helpful
Customers Also Viewed These Support Documents