PIX/ASA version 7.x can limit remote access VPN users to only the areas of the network that you want them to access. In order to restrict what internal networks remote access VPN users can access behind the PIX Security Appliance or Adaptive Security Appliance (ASA), apart from the basic configuration in Configuring Remote Access IPSec VPNs, these steps are required:
1. Create access lists.
2. Associate the access lists with group policies.
3. Associate those group policies with tunnel groups.
Refer to PIX/ASA 7.x ASDM: Restrict the Network Access of Remote Access VPN Users in order to use Cisco Adaptive Security Device Manager (ASDM) to block access.
Use the vpn-filter command in group policy or username in order to block access.
Configure ACLs in order to permit or deny various types of traffic for this user or group policy, then use the vpn-filter command in order to apply those ACLs.
This example uses a vpn-filter with a Remote Access VPN client. The client assigned IP address is 10.10.10.1/24 and the local network is 192.168.1.0/24. This access control entry (ACE) allows the Remote Access VPN client to Telnet to the local network:
access-list vpnfilt-ra permit tcp 10.10.10.1 255.255.255.255 192.168.1.0 255.255.255.0 eq 23
This ACE allows the local network to Telnet to the Remote Access client:
access-list vpnfilt-ra permit tcp 10.10.10.1 255.255.255.255 eq 23 192.168.1.0 255.255.255.0
This example shows how to set a filter that invokes an access list named acl_vpn for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributes
hostname(config-group-policy)#vpn-filter value < vpnfilt-ra >
|
Similar Threads
