cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
94
Views
4
Helpful
5
Replies
Highlighted
Beginner

Dynamic Access Policies and RDP

Hi,

I try to block RDP port for test through Dynamic Access Policies without success, is it possible do that or there is other way?

5 REPLIES 5
Highlighted
Beginner

Hello,

Hello,

Yes you can apply an access list to the connection using DAP to block particular ips and ports but you need to create 2 separate ACLs one with the deny statements and other one with the permit statement other wise the ACL wont be applied to the connection you can also run the debug "debug dap trace 200" to make sure that you're hitting the correct DAP that you configured when you connect.

Regards, please rate.

Highlighted
Beginner

Hello,

Hello,

I created a policy in Remote Access VPN > Dynamic Access Policies, I changed options:

Selection Criteria: User has ALL of the following AAA Atributes values ...

tabs: Access Method for AnyConnect Client and AnyConnect for Use AnyConnectProfile setting.

Without any changes in other places it works, I checked this using Test Dynamic Access Policies...

Now I'd like to block RDP port, how can I do that and where?

Highlighted
Beginner

Hello

Hello

In the DAP that you configured there is an option that says Network Access Filter and you can apply an access list there you configured one with your deny statements:

access-list noaccess extended deny tcp x.x.x.x 255.255.255.0 y.y.y.y 255.255.255.255 eq 3389

x.x.x.x = anyconnect pool

y.y.y.y = destination server or ip

Another one with permit any any to allow the rest of the traffic 

access-list access extended permit ip any any 

and apply both ACLs under Network Access Filter when the connection hit that DAP the ACL will be assigned to the connection the denys will automatically be placed on top.

Beginner

Hello,

Hello,

thank you for the answer, now I know what to do.

I have one more question, a little bit off topic, I noticed you are Cisco Employee,

what is the "Host Scan Image" and where can I find and download it, maybe this feature require some special licence, could you give me some information?

Highlighted
Beginner

Hello

Hello

Yes you require an Apex license "premium"

You can check this link about hostscan features, download link, others...

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect30/administration/guide/anyconnectadmin30/ac05hostscanposture.html