SSL VPN - Block connectivity to all host except specified.

CardionetCCO · ‎05-01-2013

Hello Guys,

I'm trying to setup a Anyconnect SSL VPN into a network. I have the user authenticating into the VPN and being placed on the specified LAN without much issues. However I would like the users of this specific connection policy only to be able to communicate with specific hosts on the lan.

Within split tunneling properties I specified "Policy: Tunnel Network List" and in the Network List I created a ACL that specifies the IP's over the hosts along with the subnetmask of 255.255.255.255. E.g. 192.168.1.1 255.255.255.255

My hopes was to do this:

If traffic is heading to 192.168.1.1 place that traffic through the tunnel - IF traffic is heading to 192.168.1.2 DON'T place it through the tunnel and have it hit the ISP gateway and die.

Is this the right way to go about this? Within the anyconnect client I can see that I have specific "Secured Routes" when connected - however the user can easly ping any ip on the network.

Thanks.

Dinesh Moudgil · ‎05-02-2013

Hello CardionetCCO,

In this case, if 192.168.1.1 is in your internal network and is permitted in the ACl , then it should solve the purpose.

To verify ,check that in the anyconnect client , you see the secured route for 192.168.1.1 only .

FYI :

If you are on an ASA , then it is recommended that you use a standard ACL which permits the VPN clients to access the network that you assign in the ACL. If its the router , then it is recommended to use an extended ACL which does the same and will have source of Internal networks and destination of VPN clients' pool.

Hope it helps.

P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users

Thanks,

Dinesh Moudgil

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

CardionetCCO · ‎05-02-2013

This does not help me.

Currently I have a group policy for the connection - I only want traffic destined to specific HOSTS to be pushed through the SSL VPN tunnel.

I did this in the ACL

192.168.1.14 255.255.255.255

192.168.1.15 255.255.255.255

ect...

Then I specified that split tunnel "tunnel networks below" and pointed it to the ACL above. When the user connects with the anyconnect my ACL is shown under "Secured routes" however the user can still ping any address on the network. I want that ping attempt to be routed out there physical NIC to there ISP gateway and time-out.

Thanks.

rkumar5 · ‎05-02-2013

Hi

As you have defined the split tunneling then the anyconnect users should only be able to ping the specified hosts defined in the Split tunneled network list

if its stil able to ping the network not defined in the split tunnel then it means that the correct group-policy is not assigned

please send the output of the following when the users are connected

show vpn-sessiondb anyconnect filter name

and check if the correct group-policy is defined or not.

CardionetCCO · ‎05-03-2013

Well I actually found the issue. When the user logs in a static route is made for the entire network and my split tunneling ACL.

My route displays like this after the anyconnect connects

192.168.1.0 255.255.255.0

192168.1.6 255.255.255.255

192.168.7 255.255.255.255

As you can see that initial route for the whole network being there is not what I want. I remove that route manually and everything is okay.

How do we tell the anyconnect client to NOT write that route to the system?

Thanks.

rkumar5 · ‎05-03-2013

Hi

Please send the running-config so that we can check

Thanks

Raj

CardionetCCO · ‎05-03-2013

Raj,

I don't feel comfortable sending my running config onto the forum. Is there a way we could set up a screen share instead?