Is 10.X.X.0/24 outside network? The format for vpn filter is always
access-list name permit <outside IP> <outside port> <inside IP> <inside port> irrespective of whatever is the direction of traffic (inbound/outbound). Is this what you said? With regards Kings On Wed, May 2, 2012 at 7:21 AM, Fawad Khan <[email protected]> wrote: > Matt, > > As others have said. VPN-Filter will do the job.. however as Eugene > pointed out, the ACL is tricky...... remember that SOURCE in the ACL is > always REMOTE (no matter who is initiating the connection). Check this old > email I wrote couple of months back. it will give you a link as well. > > =================================== > > > > Antonio, > > > I think you have guessed it right, i.e. VPN-Filter under group-policy. I > usually put something like following in the vpn-filter acl. > > access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 gt > 1023 192.168.x.x 255.255.0.0 eq XYZ. > > where 10.x.x.x is ssl vpn subnet and 192.168.x.x is on the core > network/dmz/lan and XY is any service. > > the key about vpn-filter ACL is that..... remote addresses (i.e. SSL VPN > address in your case) would always act as a source, even though there would > be a chance that inside/core user would access any service on the remote > address. For example, if you want to enable remote desktop functionatility > from your core to the ssl users then the vpn-filter acl would like the > following in addition to regular OUTBOUND ACL on the inside interface. > > access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 eq > 3389 192.168.x.x 255.255.0.0 gt 1023 > > see page 9 of the following link. > http://www.cisco.com/image/gif/paws/99103/pix-asa-vpn-filter.pdf > > > > > FNK. > ================================================= > > > FNK > > > > On Tue, May 1, 2012 at 7:03 PM, Eugene Pefti <[email protected]>wrote: > >> That's quite a workaround ;) >> >> >> -----Original Message----- >> From: Matt Hill [mailto:[email protected]] >> Sent: 01 May 2012 15:35 >> To: Eugene Pefti >> Cc: Piotr Matusiak >> Subject: Re: [OSL | CCIE_Security] AnyConnect per group ACLs >> >> How we got it to work was by using DAP, a new(ish) feature... >> >> We got the RADIUS to send the AD group to the ASA then the ASA applies an >> ACL based on the received attribute from the RADIUS. >> >> Cheers for your help, >> Matt >> >> On 20 April 2012 05:02, Eugene Pefti <[email protected]> wrote: >> > And don't forget about the tricky logic of this ACL, Matt. >> > >> > The source are IP in VPN pool and destination are hosts protected by >> > the firewall. >> > >> > >> > >> > Eugene >> > >> > >> > >> > >> > >> > From: [email protected] >> > [mailto:[email protected]] On Behalf Of Piotr >> > Matusiak >> > Sent: 17 April 2012 22:33 >> > To: Matt Hill >> > Cc: CCIE Security Maillist >> > Subject: Re: [OSL | CCIE_Security] AnyConnect per group ACLs >> > >> > >> > >> > Hi Matt, >> > >> > Use vpn-filter command when you can reference an extended ACL to >> > filter the traffic per group. This command is under group-policy which >> > is referenced to your tunnel-group. >> > >> > Regards, >> > Piotr >> > >> > 2012/4/18 Matt Hill <[email protected]> >> > >> > Hi Everyone, >> > >> > I have a client who has a bunch of different user groups, lets call >> > them GROUP_1, GROUP_2 & GROUP_3 each with different network access >> > requirements & restrictions. >> > >> > The requirement is that if a user from GROUP_1 logs in, it gains >> > network access defined in ACL_1, if a user from GROUP_2 logs in, then >> > it gains access defined in ACL_2 and likewise for the third group. >> > >> > I am normally good with the Cisco Docs and Googleisms, but this time >> > I'm not having a very good time trying to find what I am after. >> > >> > If anyone has a decent doco link or sample config I'd appreciate it. >> > >> > Cheers, >> > Matt >> > CCIE #22386 >> > CCSI #31207 >> > _______________________________________________ >> > For more information regarding industry leading CCIE Lab training, >> > please visit www.ipexpert.com >> > >> > Are you a CCNP or CCIE and looking for a job? Check out >> > www.PlatinumPlacement.com >> > >> > >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
