cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1471
Views
0
Helpful
3
Replies

VPN ACL

brasbehlph1
Level 1
Level 1

How would I go about filtering Outside access to a vpn port of a Cisco ASA < 8.2?

By default, it seems the VPN does not use the acl on the outside interface.

Thanks

1 Accepted Solution

Accepted Solutions

As far as i know you can't. If you wanted to restrict it to a certain group of users you would need to apply the filter on the upstream router if you manage this. If the ISP manages this router for you they may be able to do something for you.

Jon

View solution in original post

3 Replies 3

In most cases, VPN tunnels are not subject to your "outside" acl.  I'm confused what you are asking though.. do you want to block outside users from accessing the VPN?  Or only allow certain traffic over the VPN? 

If you want to filter traffic that is allowed over the VPN, you can use NAT to do that.  For whatever source IP that you don't want to give access to a destination IP - just don't include it in your NAT exemption.  Like so

nat (inside) 0 access-list nonat

access-list nonat extended permit 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

The above would only excempt source IPs on the 192.168.1.0/24 block from NAT when trying to reach 10.1.1.0/24.  If other subnets try to communicate directly over the VPN with 10.1.1.0/24 - it will be dropped b/c it is not excluded from NAT.

Let me know if that helps.  You can also use ACLs on your tunnels, but I've found it's easier to use NAT when possible.

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

Thanks for the reply.

However I am only trying to restrict who has access to connect to the vpn port from the internet (outside).

I have created a webvpn that listens on port 443 on the outside interface so remote users can access internal resources while on the road.

I would like to be able to filter who can access that public address as i tried to add a deny rule on the "outside_access_in" but that does seem to work.

Sent from Cisco Technical Support iPad App

As far as i know you can't. If you wanted to restrict it to a certain group of users you would need to apply the filter on the upstream router if you manage this. If the ISP manages this router for you they may be able to do something for you.

Jon