We have a few VPN-Servers (Firepower 1140).
When a User connects he gets a static IP via RADIUS (e.g. 10.99.1.2) or a address from a Adress-Pool configured on the server (e.g. 10.0.1.2).
With our current configuration this allows traffic between the users (10.99.1.2 <-> 10.0.1.2).
How can we prevent that?
On a Wireless LAN Controller C9800 I can set P2P Blocking Action to Drop.
Is there something similar for the ASA?
We mostly use AnyConnect, but there are a few users that use their own IPsec-Client.
To block traffic between VPN users on a Firepower 1140, you can create an access control policy and apply it to the VPN users.
Additionally, you can also use the "same-security-traffic permit inter-interface" command under the VPN configuration to block traffic between VPN users.
This will block all traffic between VPN users, regardless of the VPN connection type (AnyConnect or IPsec).
Please note that this will only work if VPN users are assigned IP addresses from different subnets.
Please rate this and mark as solution/answer, if this resolved your issue
All the best,
@fhk-cwempe try using VPN Filter applied to the Remote Access VPN group policy to first deny traffic between the anyconnect user IP networks, then permit the rest of the required traffic.