How can we block the remote access vpn users from talking to each other on a Cisco 5516-X ASA appliance running 9.1 image.Lets say the remote pool is in the subnet 192.168.1.0/24. Want to make sure they only talk to the Head Office but not each other. Also, wanting to know if this is a common deployment(best practice). Split tunneling not enabled.
If you want to use tunnelall and make the users not to be able to talk to each other you have several options:
- Have the command same-security permit intra-interface disabled
- Use a VPN filter in the group-policy allowing the connection to some networks only
- Disable the command sysopt connection permit-vpn
Now let me clarify each and one of them:
* The command same-security permit intra-interface will allow the ASA to redirect the traffic from the interface that is getting from (U-turn)
* Using a VPN filter will tell the ASA which traffic will be permited through the tunnel. Check this link as reference: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html
* By disabling the command sysopt connection permit-vpn will make the traffic to be checked in the access-group and if it is not allowed it will be dropped.