how to deny internet access while connected VPN

Diego Maciel Gomes · ‎07-30-2012

Hello

I use my VPN client IPsec with Cisco VPN Client.

I have some groups on AD. I use LDAP Attribute Map to allow access by Group Policies

Well, I configure ACL Manager and Standard ACL for each group, allowing only Server and Service...

Group Policies: VPN_client (ASA reads clients from this group to allow access.

ACL Manager: nl-client

Source Destination Service Action

any 10.0.0.10 tcp/3389 Permit

Standard ACL: nl-stan-client

Address Action

10.0.0.10 Permit

These above are the configs I use... Everything works fine...

With this config, user can access the internet while connected on VPN

I want when user connected on VPN, only access 10.0.0.10 on tcp/3389 and deny access to the internet.

How can I do it?

Thansk

Javier Portuguez · ‎07-30-2012

Hi Diego,

All you need is to setup "split-tunnel-policy tunnelall" under the group-policy settings.

split-tunnel-policy

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s8.html#wp1560853

This will stop any traffic to the Internet, since the client will send it to the ASA.

Quoting:

"I want when user connected on VPN, only access 10.0.0.10 on tcp/3389 and deny access to the internet."

Let me know.

Please rate any post that you find useful.

mkdccie · ‎07-30-2012

Hi Diego,

This might help you...

access-list TEST permit tcp 10.0.0.10 255.255.255.255 eq 3389

group-policy TEST_POLICY internal
group-policy TEST_POLICY attributes
dns-server value x.x.x.x
vpn-tunnel-protocol IPSec l2tp-ipsec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value TEST

Regards,

MKD

Diego Maciel Gomes · ‎07-30-2012

Hi Guys,

Ty for answers..

Well, I use ASDM to config most of things... Anyway, I understood what I need to do.. So, I did:

Under Group Policy, Advanced, Split Tunneling, I had in Policy: Tunnel Network List Below and in Network List: nl-stan-client

I changed it to:

Policy: Tunnel All Network

Network List: Inherit

With this config, my vpn client can access 10.0.0.10 tcp/3389 (using my nl-client = Extended ACL)

And client cant access the Internet..

I think it OK...

Is result the same you were saying to me?

Javier Portuguez · ‎07-30-2012

Hi Diego,

Please check this out:

ASA 8.x : Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml

Instead of using "tunnelspecified" use "tunnelall".

Let me know.

Please rate any post that you find useful.

Olga Botero · ‎07-30-2012

Diego, I have the opposite problem, my VPN users can access the internal network resources but not the Internet, can you tell me how was your nat setup, they need to access the Internet while connected to the VPN, I have tunnelall, when I change that the Internet works but the internal resource access does not. Thank you.

Sent from Cisco Technical Support iPad App

Javier Portuguez · ‎07-30-2012

Hi Olga,

May I know the code version of your ASA?

Thanks!

Olga Botero · ‎07-31-2012

8.4(2)

Sent from Cisco Technical Support iPad App

Javier Portuguez · ‎07-31-2012

Thanks for the update

Do you want to access it the Internet through the ASA (while connected to the VPN with tunelall) or through the client's local network?

Thanks.

Olga Botero · ‎07-31-2012

The users do not want to close the VPN connection to be able to access the internet.

Sent from Cisco Technical Support iPad App

Javier Portuguez · ‎07-31-2012

Dear Olga,

ASA 8.x : Allow Split Tunneling for AnyConnect VPN Client on the ASA Configuration Example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080975e83.shtml

Please use "tunnelspecified".

This is a complete example, including the NAT rules:

1- access-list SPLIT_ACL_AC permit 192.168.2.0 255.255.255.0

group-policy Group-policy_VPN_Clients attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value SPLIT_ACL_AC

2- ip local pool VPN_AC 192.168.1.1-192.168.1.254

3- object network obj-192.168.1.0_24 ----------> VPN pool

subnet 192.168.1.0 255.255.255.0

4- object network obj-192.168.2.0_24 -------> Inside network

subnet 192.168.2.0 255.255.255.0

5- nat (inside,outside) 1 source static obj-192.168.2.0_24 obj-192.168.2.0_24 destination static obj-192.168.1.0_24 obj-192.168.1.0_24 route-lookup -----> NAT to allow the VPN pool access the Inside.

Let me know if you have any questions.

Please rate any post you find useful.

Olga Botero · ‎07-31-2012

Thank you Javier, I did have the split tunnel setup but my extended ACL did not have access from the pool addresses for the ipad to the internal network, I had and "Any" that was breaking the split. Once I added that rule the whole thing worked like a champ. I appreciate your help and response.

Sent from Cisco Technical Support iPad App

Javier Portuguez · ‎07-31-2012

Good news

It was very nice working with you.

Take care.