Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
712
Views
0
Helpful
5
Replies

control what anyconnect remote user can access

Go to solution
nflnetwork
Level 1
Level 1

‎01-14-2019 11:46 AM

How do i control what networks / Hots  my any-connect VPN user group can access?

 

Ex:

 

I have a group called EXTERNAL

I want EXTERNAL only to have access to 192.168.1.5 and 192.168.1.10 hosts and nothing else.

Where do i place my statements ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎01-14-2019 11:58 AM

Hi,

You could create VPNFilter, reference here and you'd then apply this to the group-policy. You'll need to amend the source network to be your VPN Pool. Example:-

 

access-list VPN-FILTER permit ip x.x.x.x 255.255.255.0 192.168.1.5 255.255.255.255
access-list VPN-FILTER permit ip x.x.x.x 255.255.255.0 192.168.1.10 255.255.255.255
group-policy EXTERNAL attributes
 vpn-filter value VPN-FILTER

Alernatively if you are using ISE as the RADIUS server you can push down a DACL.

 

HTH

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎01-14-2019 11:58 AM

Hi,

You could create VPNFilter, reference here and you'd then apply this to the group-policy. You'll need to amend the source network to be your VPN Pool. Example:-

 

access-list VPN-FILTER permit ip x.x.x.x 255.255.255.0 192.168.1.5 255.255.255.255
access-list VPN-FILTER permit ip x.x.x.x 255.255.255.0 192.168.1.10 255.255.255.255
group-policy EXTERNAL attributes
 vpn-filter value VPN-FILTER

Alernatively if you are using ISE as the RADIUS server you can push down a DACL.

 

HTH

0 Helpful

Go to solution
nflnetwork
Level 1
Level 1
In response to Rob Ingram

‎01-14-2019 12:10 PM

what if i wanted to take it 1 step further permit custom port tcp 446 only ?
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to nflnetwork

‎01-14-2019 12:15 PM

So you can tweak the ACL to permit tcp and specify the ports instead of permit ip. E.g:-

access-list VPN-FILTER permit tcp 10.10.10.1 255.255.255.255 192.168.1.0 255.255.255.0 eq 446

That reference link I provided goes into more detail for you.


HTH
0 Helpful

Go to solution
nflnetwork
Level 1
Level 1
In response to Rob Ingram

‎01-14-2019 12:42 PM

did not receive the link. 

also when creating a ACL is all other traffic implicitly denied?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to nflnetwork

‎01-14-2019 12:48 PM

Ah ok, the link was a hyperlink under the word "here" in the original post, it should have been highlighted. I've made it a bit more obvious this time:-

 

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

 

Yes, implicit deny.

 

0 Helpful
Customers Also Viewed These Support Documents