Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
211
Views
10
Helpful
8
Replies

How do I block Traffic between VPN users?

fhk-cwempe
Beginner
Beginner

‎01-24-2023 07:55 AM

We have a few VPN-Servers (Firepower 1140).

When a User connects he gets a static IP via RADIUS (e.g. 10.99.1.2) or a address from a Adress-Pool configured on the server (e.g. 10.0.1.2).

With our current configuration this allows traffic between the users (10.99.1.2 <-> 10.0.1.2).

How can we prevent that?

On a Wireless LAN Controller C9800 I can set P2P Blocking Action to Drop.

Is there something similar for the ASA?

We mostly use AnyConnect, but there are a few users that use their own IPsec-Client.

 

Labels:
8 Replies 8

rais
Rising star
Rising star

‎01-24-2023 08:02 AM

On an ASA you can create two different zones for these networks and apply policy rules.

HTH.

0 Helpful

fhk-cwempe
Beginner
Beginner
In response to rais

‎01-24-2023 08:39 AM

Sorry, I guess my issue is simpler than my example.

I also want to block traffic between 10.99.1.2 and 10.99.1.3.

0 Helpful

MHM Cisco World
Mentor
Mentor

‎01-24-2023 08:39 AM

you need all user can not talk to all users or specific one?

0 Helpful

fhk-cwempe
Beginner
Beginner
In response to MHM Cisco World

‎01-24-2023 11:46 PM

Yes, no one should be able to talk to any other vpn user.

MHM Cisco World
Mentor
Mentor
In response to fhk-cwempe

‎01-25-2023 05:03 AM

You can use VPN filter, 
deny VPN pool1 -> VPN Pool2
permit VPN pool1 -> LAN (Inside)

0 Helpful

khorram1998
Beginner
Beginner

‎01-24-2023 09:08 AM

To block traffic between VPN users on a Firepower 1140, you can create an access control policy and apply it to the VPN users.

  1. Go to Configuration > Firewall > Access Control and create a new policy.
  2. In the policy, create a rule that denies traffic between the VPN user subnet (e.g. 10.99.1.0/24) and the VPN address pool subnet (e.g. 10.0.1.0/24).
  3. Apply this policy to the VPN users by going to Configuration > Remote Access VPN > AnyConnect > Group Policy and selecting the policy in the "Access Control Policy" field.

Additionally, you can also use the "same-security-traffic permit inter-interface" command under the VPN configuration to block traffic between VPN users.

This will block all traffic between VPN users, regardless of the VPN connection type (AnyConnect or IPsec).

Please note that this will only work if VPN users are assigned IP addresses from different subnets.

Please rate this and mark as solution/answer, if this resolved your issue
All the best,
AK



0 Helpful

fhk-cwempe
Beginner
Beginner
In response to khorram1998

‎01-24-2023 11:48 PM

@khorram1998 wrote:

Please note that this will only work if VPN users are assigned IP addresses from different subnets.

I think that is not good enough for me.

0 Helpful

Rob Ingram
VIP Expert VIP Expert
VIP Expert
In response to fhk-cwempe

‎01-25-2023 12:48 AM

@fhk-cwempe try using VPN Filter applied to the Remote Access VPN group policy to first deny traffic between the anyconnect user IP networks, then permit the rest of the required traffic.

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

https://integratingit.wordpress.com/2019/03/06/asa-vpn-filter/

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents