cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
384
Views
4
Helpful
5
Replies

Dynamic Access Policies and RDP

exsitezet1
Level 1
Level 1

Hi,

I try to block RDP port for test through Dynamic Access Policies without success, is it possible do that or there is other way?

5 Replies 5

Diego Lopez
Level 1
Level 1

Hello,

Yes you can apply an access list to the connection using DAP to block particular ips and ports but you need to create 2 separate ACLs one with the deny statements and other one with the permit statement other wise the ACL wont be applied to the connection you can also run the debug "debug dap trace 200" to make sure that you're hitting the correct DAP that you configured when you connect.

Regards, please rate.

Hello,

I created a policy in Remote Access VPN > Dynamic Access Policies, I changed options:

Selection Criteria: User has ALL of the following AAA Atributes values ...

tabs: Access Method for AnyConnect Client and AnyConnect for Use AnyConnectProfile setting.

Without any changes in other places it works, I checked this using Test Dynamic Access Policies...

Now I'd like to block RDP port, how can I do that and where?

Hello

In the DAP that you configured there is an option that says Network Access Filter and you can apply an access list there you configured one with your deny statements:

access-list noaccess extended deny tcp x.x.x.x 255.255.255.0 y.y.y.y 255.255.255.255 eq 3389

x.x.x.x = anyconnect pool

y.y.y.y = destination server or ip

Another one with permit any any to allow the rest of the traffic 

access-list access extended permit ip any any 

and apply both ACLs under Network Access Filter when the connection hit that DAP the ACL will be assigned to the connection the denys will automatically be placed on top.

Hello,

thank you for the answer, now I know what to do.

I have one more question, a little bit off topic, I noticed you are Cisco Employee,

what is the "Host Scan Image" and where can I find and download it, maybe this feature require some special licence, could you give me some information?

Hello

Yes you require an Apex license "premium"

You can check this link about hostscan features, download link, others...

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30/ac05hostscanposture.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: