Dynamic Access Policies - Network ACL problem - No implicity Deny?

sossie · ‎01-20-2011

Hi all,

Cisco ASA 5510 running 8.3.2

I am configuring anyconnect VPN using Dynamic Access Policies for the first time. I have configured AAA Ldap against Windows 2003 Active Directory and this is working fine.

What I would like to do is setup some granularity and create AD groups that give network access to particular devices.

EG I create an AD group "allow RDP to server", put my authorized users in that, create a DAP policy that has a network ACL configured that says:

permit from VPN pool RDP to Server.

Then I may create a AD grout "allow telnet to switch" put my users in that, create a DAP policy that has a network ACL configured that says:

permit from VPN pool Telnet to switch.

I think everything is working ok in terms of applying the correct policy to the correct user, but the problem is that all users who have VPN access always have full access to all network resources. e.g. all authenticated users can always rdp or telnet to all services down the vpn.

I think I somehow need an implicity deny, or perhaps I could create a DAP ACL deny all policy. I have tried creating a deny all DAP, with a "Deny Any Any" ACL and giving that a low priority etc but nothing seems to work.

"sysopt connection permit-vpn" is turned on. I think this is by default. Not sure if this has any relevance though.

Has anyone any ideas where I'm going wrong?

Thanks, Simon.

argnetworking · ‎01-21-2011

What does your DfltAccessPolicy says?

This is the last policy applied to the client, I have a deny any any on this one.

sossie · ‎01-26-2011

Hi, thanks for the reply.

In the DfltAccessPolicy have tried a deny any any ACL and terminate. From my understanding of the doc, the DfltAccessPolicy only applies if no other policys match. I have deny any any and terminate here so if someone authenticatictes but has no permissions they can't connect to anything.

Thanks, Simon.

jonesandrew · ‎06-15-2013

i have also come accross a similar issue. applying an acl in DAP to a vpn user doesnt seem to be very effective, as it only allows for and acl with all deny entires or all permit entries.

so i put in an acl to block users from two certain IP subnets, and it seems there is no implicit permit everything esle, and it wont let me apply an acl which has "deny ip any 10.x.x.x" followed by "permit ip any any"

when configuring an ACL that simply blocks 2 subnets, all connectivty is blocked as the implicit deny is kicking in.

this doesnt seem like a very effective feature, and the alternative is specificing a permit to each subnet other than the 2 i dont want the users accessing.

perhaps ill have to create 2 VPN profiles and apply ACL to either vpn, and use DAP to select the vpn the user ends up in.

Mark Lancaster · ‎12-13-2013

I have been labbing DAP Network ACL's in ASA 9.1(3), and the implicity default deny seems to be working as expected for me. I am able to define DAP policy with an associated Network ACL that contains some permit lines, and traffic to all other resources/networks seems to be blocked by default.