cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
731
Views
0
Helpful
4
Replies

Remote Access VPN - Allow based on ports

ciscokalpesh
Level 1
Level 1

Hi,

I have Cisco ASA 5520 / ASA Ver: 8.0(4) / ASDM Ver: 6.1(3).

I have configured Remote Access VPN and everything seems to be fine. Like i have created Extended ACL and allowed for singe host with particlar port to be allowed.

After login with the Anyconnect client, i am restricted to access the single host configured, but not based on ports. i.e. i do not want user to RDP the server allowed, but only access the application based on the port that is allowed. But somehow it is not working.

Can someone guide, how can i allow user to access a server with defined port only and not any other service/port access for the server.

Thanks in advance.

K

4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I guess there are several ways to do this depending on your setup

I guess at this point you have configured Split-Tunneling or?

You could try for example

OPTION 1

  • Configure the VPN Client username/passwords on the ASA
  • Configure the IP address assigned to VPN Client user under each username so you know what IP address the user is connecting from
  • Configure "no sysopt connection permit-vpn" which will require ALL VPN traffic to be allowed through the "outside" interface ACL. Then you can build the rules for the VPN Client users based on the IP address configured under their usernames on the "outside" interface ACL

OPTION 2

  • Configure the VPN Client username/passwords on the ASA
  • Configure the IP address assigned to VPN Client user under each username so you know what IP address the user is connecting from
  • Opposed to the above option to change the VPN/ACL behaviour, configure a VPN Filter under each username. With the VPN Filter ACL attached to the username you can configure rules differently for each user

The above are the options you could use with the ASA alone. There are other options too. If you have the username/password configured on an AAA server you might be able to build the rules there. Sadly I am not too familiar with that kind of setup.

- Jouni

malshbou
Level 1
Level 1

Hi,

vpn-filter access-list under group-policy would satisfy your requirment.

Mashal

------------------ Mashal Shboul

Hello Jouni,

Thanks for reply.

I have done the changes as per option2. After connection, when i see the details of the user session in the asa, i can see that the acl is applied as per the selection, but on the user's computer i am not able to access anything.

In the asa realtime logviewer, there are errors like below for the vpnuser

"Authorization denied (acl=SSPVPN-ACL) for user '123456' from 192.168.25.10/137 to 192.168.25.255/137 on interface outside using UDP"

Can you please guide what could be the issue ?

Thanks again.

K

Hi Jouni,

I tried the Option1 and it is working fine as required.

Is there anyway to allow access only on particular computer and not from multiple computers ? Can one user login with more than single session ?

Thanks,

K

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: