01-24-2023 07:55 AM
We have a few VPN-Servers (Firepower 1140).
When a User connects he gets a static IP via RADIUS (e.g. 10.99.1.2) or a address from a Adress-Pool configured on the server (e.g. 10.0.1.2).
With our current configuration this allows traffic between the users (10.99.1.2 <-> 10.0.1.2).
How can we prevent that?
On a Wireless LAN Controller C9800 I can set P2P Blocking Action to Drop.
Is there something similar for the ASA?
We mostly use AnyConnect, but there are a few users that use their own IPsec-Client.
01-24-2023 08:02 AM
On an ASA you can create two different zones for these networks and apply policy rules.
HTH.
01-24-2023 08:39 AM
Sorry, I guess my issue is simpler than my example.
I also want to block traffic between 10.99.1.2 and 10.99.1.3.
01-24-2023 08:39 AM
you need all user can not talk to all users or specific one?
01-24-2023 11:46 PM
Yes, no one should be able to talk to any other vpn user.
01-25-2023 05:03 AM
You can use VPN filter,
deny VPN pool1 -> VPN Pool2
permit VPN pool1 -> LAN (Inside)
01-24-2023 09:08 AM
To block traffic between VPN users on a Firepower 1140, you can create an access control policy and apply it to the VPN users.
Additionally, you can also use the "same-security-traffic permit inter-interface" command under the VPN configuration to block traffic between VPN users.
This will block all traffic between VPN users, regardless of the VPN connection type (AnyConnect or IPsec).
Please note that this will only work if VPN users are assigned IP addresses from different subnets.
Please rate this and mark as solution/answer, if this resolved your issue
All the best,
AK
01-24-2023 11:48 PM
@khorram1998 wrote:Please note that this will only work if VPN users are assigned IP addresses from different subnets.
I think that is not good enough for me.
01-25-2023 12:48 AM
@fhk-cwempe try using VPN Filter applied to the Remote Access VPN group policy to first deny traffic between the anyconnect user IP networks, then permit the rest of the required traffic.
https://integratingit.wordpress.com/2019/03/06/asa-vpn-filter/
02-01-2023 01:04 AM
Thank you all for the answers.
But I think configuring access lists/policies based in IP adresses/subnetzs is to complex for us, because we would need many exceptions.
02-01-2023 02:41 AM
no you just need two vpn-filter
access-list VPNfilter1 extended deny ip VPN Pool1 VPN pool2
access-list VPNfilter1 extended permit ip any any
access-list VPNfilter2 extended deny ip VPN Pool2 VPN pool1
access-list VPNfilter2 extended permit ip any any
then config these VPNfilter's under group-policy
this make VPN pool1 can not connect to VPN pool2
02-01-2023 11:46 PM
I do need more exceptions, than I mentioned here.
Like different IT personell (via VPN or not) accessing user devices connected via VPN.
We also got several VPN-IP-Pools for different business units.
But thanks for your answers.
No I know what the solution would be if we decide to go this way.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide