cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
485
Views
3
Helpful
4
Replies

Remote Access VPN users- blocking

Kishore Chennupati
Rising star
Rising star

Hello vpn experts,

How can we block the remote access vpn users from talking to each other on a Cisco 5516-X ASA appliance running 9.1 image.Lets say the remote pool is in the subnet 192.168.1.0/24. Want to make sure they only talk to the Head Office but not each other. Also, wanting to know if this is a common deployment(best practice). Split tunneling not enabled.

Any help will be appreciated

Thanks

4 Replies 4

Philip D'Ath
Advisor
Advisor

You could remove the option which allows VPN's to bypass access control lists, and then create a rule allowing the remote VPN users to only talk to the internal network.

I always enable split tunnelling.  It is up to your security posture as to weather you want it or not.

carlguer
Beginner
Beginner

Hello Kishore, 

If you want to use tunnelall and make the users not to be able to talk to each other you have several options:

- Have the command same-security permit intra-interface disabled 

- Use a VPN filter in the group-policy allowing the connection to some networks only

- Disable the command sysopt connection permit-vpn

Now let me clarify each and one of them:

* The command same-security permit intra-interface will allow the ASA to redirect the traffic from the interface that is getting from (U-turn)

* Using a VPN filter will tell the ASA which traffic will be permited through the tunnel. Check this link as reference: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

* By disabling the command sysopt connection permit-vpn will make the traffic to be checked in the access-group and if it is not allowed it will be dropped.

Please rate this comment if you find it useful.

Regards, 

- Javier - 

Thanks a lot for your reply Javier.

- Have the command same-security permit intra-interface disabled 

cant do this as the VPN device is one-arm.

- Use a VPN filter in the group-policy allowing the connection to some networks only

Will this stop the remote clients from talking to each other?

- Disable the command sysopt connection permit-vpn

I am assuming this relates to the point above

Hello Kishore,

If you set the VPN-filter properly you can prevent the users from talking to each other.

You can check the following document that explains how the VPN filters work and how you set them:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

Regards,

- Javier - 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: