Deny vpn user access to some internal networks

ugochunw123 · ‎11-30-2018

Can someone help me with an issue i'm trying to resolve.

I want to deny vpn users access to some of our internal networks that we are migrating to a new company.

internal networks as defined

179.5.0.0 255.255.0.0

10.0.0.0 255.0.0.0

but now I need make certain subnets unreachable like 179.5.20.0/24 and 10.10.23.0/24 by vpn users.

Rob Ingram · ‎11-30-2018

Are you using an ASA firewall? What type of VPN, I assume Remote Access VPN using AnyConnect?

If ASA, you probably need to configure VPN Filter, example here.

ugochunw123 · ‎11-30-2018

Yes i use ASA Firewall. An update to this is that we want to deny all vpn access to those networks not just anyconnect clients

Francesco Molino · ‎11-30-2018

Hi,

If you remove sysopt connection permit-vpn, all VPN traffic will be allowed/denied by your interface acls.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Marvin Rhoads · ‎11-30-2018

Each VPN type has an associated configuration that defines which networks are accessible.

SSL VPN (Anyconnect) uses an ACL that's called out under "tunnel-specified" in the group-policy section of the configuration.

Site-to-site VPNs use a different ACL that's called out in the cryptomap associated with a given remote peer.

Change the ACLs and you change the accessible networks.