Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1184
Views
3
Helpful
4
Replies

Remote Access VPN users- blocking

Kishore Chennupati
Level 7
Level 7

‎05-10-2016 06:21 AM - edited ‎02-21-2020 08:48 PM

Hello vpn experts,

How can we block the remote access vpn users from talking to each other on a Cisco 5516-X ASA appliance running 9.1 image.Lets say the remote pool is in the subnet 192.168.1.0/24. Want to make sure they only talk to the Head Office but not each other. Also, wanting to know if this is a common deployment(best practice). Split tunneling not enabled.

Any help will be appreciated

Thanks

Labels:
0 Helpful
4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

‎05-10-2016 12:22 PM

You could remove the option which allows VPN's to bypass access control lists, and then create a rule allowing the remote VPN users to only talk to the internal network.

I always enable split tunnelling.  It is up to your security posture as to weather you want it or not.

0 Helpful

carlguer
Level 1
Level 1

‎05-16-2016 04:00 PM

Hello Kishore, 

If you want to use tunnelall and make the users not to be able to talk to each other you have several options:

- Have the command same-security permit intra-interface disabled 

- Use a VPN filter in the group-policy allowing the connection to some networks only

- Disable the command sysopt connection permit-vpn

Now let me clarify each and one of them:

* The command same-security permit intra-interface will allow the ASA to redirect the traffic from the interface that is getting from (U-turn)

* Using a VPN filter will tell the ASA which traffic will be permited through the tunnel. Check this link as reference: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

* By disabling the command sysopt connection permit-vpn will make the traffic to be checked in the access-group and if it is not allowed it will be dropped.

Please rate this comment if you find it useful.

Regards, 

- Javier - 

Kishore Chennupati
Level 7
Level 7
In response to carlguer

‎05-26-2016 10:54 PM

Thanks a lot for your reply Javier.

- Have the command same-security permit intra-interface disabled 

cant do this as the VPN device is one-arm.

- Use a VPN filter in the group-policy allowing the connection to some networks only

Will this stop the remote clients from talking to each other?

- Disable the command sysopt connection permit-vpn

I am assuming this relates to the point above

0 Helpful

carlguer
Level 1
Level 1
In response to Kishore Chennupati

‎05-30-2016 06:47 AM

Hello Kishore,

If you set the VPN-filter properly you can prevent the users from talking to each other.

You can check the following document that explains how the VPN filters work and how you set them:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html

Regards,

- Javier - 

0 Helpful
Customers Also Viewed These Support Documents