Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6591
Views
29
Helpful
8
Replies

Anyconnect client firewall or group policy VPN filter?

Mohamed Hamid
Level 1
Level 1

‎01-15-2014 01:07 AM - edited ‎02-21-2020 07:26 PM

Hi Guys

I have seen that if I want to place an ACL for a VPN group I can either do it via a VPN filter within the group policy settings or by applyinh a private  ACL under anyconnect > client firewall settings.

Which method is the preffered method and what are the differences?

Thank you        

1 person had this problem
Labels:
0 Helpful
8 Replies 8

Florin Barhala
Level 6
Level 6

‎07-02-2014 07:04 AM

Any thoughts on this, I am also interested in one good answer.

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to Florin Barhala

‎07-02-2014 10:45 PM

Hi ,

VPN filter is global method that provides granular restriction (port based filtering) which can be used to restrict the traffic originating from the client. The VPN filter checks the incoming connections over the VPN tunnel.

Client firewall option is mostly used when you have Local Lan Access applied , so that with Lan access enabled , you can filter the traffic (e.g allowing access to only printers in local lan).
Hope this helps.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

Florin Barhala
Level 6
Level 6
In response to Dinesh Moudgil

‎07-03-2014 02:24 AM

Hello Dinesh,

I have a group-policy used in a Anyconnect profile. This profile is using only ssl-client as tunneling protocol.

Can I still use vpn-filter? I don't see it available on the attached picture if my presumption is right: vpn-filter == client access rules.

 

Thanks!

Preview file
40 KB
0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to Florin Barhala

‎07-03-2014 10:28 AM

Hi Florin,

 

This is under More options in the group-policy.
See the attached snippet.

Regards,
Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
Preview file
35 KB

Florin Barhala
Level 6
Level 6
In response to Dinesh Moudgil

‎07-04-2014 02:29 AM

Nice catch, thanks!

0 Helpful

nkarthikeyan
Level 7
Level 7

‎07-03-2014 02:41 AM

Hi Mohammed,

VPN filters provide the ability to permit or deny post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel.

a VPN filter the ACL (which is stateful) is applied to traffic both bi-directionally and to all interfaces. Because of this the definition of the source and destination fields within the ACL do not apply ; instead the ACL fields relate to what IP/Port should be permitted or denied for the Local and Remote subnets.

If you use client firewall settings you can have rules configured and that will be pushed to the VPN client table during the IKE negotiation itself. In Client firewall you have multiple options. Here you have to define inbound and outbound ACL's seperately. In client-firewall options you can define policies for zone alarm, IPS, customized servers. etc.

 

Regards

Karthik

Florin Barhala
Level 6
Level 6
In response to nkarthikeyan

‎07-03-2014 03:03 AM

Hi mate,

What can I use for my scenario group-policy used in a Anyconnect profile?

Either of the two or just Client Firewall?

0 Helpful

nkarthikeyan
Level 7
Level 7
In response to Florin Barhala

‎07-03-2014 03:34 AM

Hi Florin,

You can have any of the one in group-policy. I prefer to have VPN-Filter list.

 

Regards

Karthik
 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents