07-19-2011 06:12 PM
How would I go about filtering Outside access to a vpn port of a Cisco ASA < 8.2?
By default, it seems the VPN does not use the acl on the outside interface.
Thanks
Solved! Go to Solution.
07-20-2011 09:20 AM
As far as i know you can't. If you wanted to restrict it to a certain group of users you would need to apply the filter on the upstream router if you manage this. If the ISP manages this router for you they may be able to do something for you.
Jon
07-20-2011 04:57 AM
In most cases, VPN tunnels are not subject to your "outside" acl. I'm confused what you are asking though.. do you want to block outside users from accessing the VPN? Or only allow certain traffic over the VPN?
If you want to filter traffic that is allowed over the VPN, you can use NAT to do that. For whatever source IP that you don't want to give access to a destination IP - just don't include it in your NAT exemption. Like so
nat (inside) 0 access-list nonat
access-list nonat extended permit 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
The above would only excempt source IPs on the 192.168.1.0/24 block from NAT when trying to reach 10.1.1.0/24. If other subnets try to communicate directly over the VPN with 10.1.1.0/24 - it will be dropped b/c it is not excluded from NAT.
Let me know if that helps. You can also use ACLs on your tunnels, but I've found it's easier to use NAT when possible.
07-20-2011 09:17 AM
Thanks for the reply.
However I am only trying to restrict who has access to connect to the vpn port from the internet (outside).
I have created a webvpn that listens on port 443 on the outside interface so remote users can access internal resources while on the road.
I would like to be able to filter who can access that public address as i tried to add a deny rule on the "outside_access_in" but that does seem to work.
Sent from Cisco Technical Support iPad App
07-20-2011 09:20 AM
As far as i know you can't. If you wanted to restrict it to a certain group of users you would need to apply the filter on the upstream router if you manage this. If the ISP manages this router for you they may be able to do something for you.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide