Not the outside network specifically, by remote I mean ip address from the VPN pool (which is from perspective outside of the network but another perspective it's "now" part of the network after connecting to VPN.
On Wednesday, May 2, 2012, Kingsley Charles wrote: > Is 10.X.X.0/24 outside network? > > The format for vpn filter is always > > access-list name permit <outside IP> <outside port> <inside IP> <inside > port> irrespective of whatever is the direction of traffic > (inbound/outbound). > > Is this what you said? > > > > With regards > Kings > > On Wed, May 2, 2012 at 7:21 AM, Fawad Khan <[email protected]> wrote: > > Matt, > > As others have said. VPN-Filter will do the job.. however as Eugene > pointed out, the ACL is tricky...... remember that SOURCE in the ACL is > always REMOTE (no matter who is initiating the connection). Check this old > email I wrote couple of months back. it will give you a link as well. > > =================================== > > > > Antonio, > > > I think you have guessed it right, i.e. VPN-Filter under group-policy. I > usually put something like following in the vpn-filter acl. > > access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 gt > 1023 192.168.x.x 255.255.0.0 eq XYZ. > > where 10.x.x.x is ssl vpn subnet and 192.168.x.x is on the core > network/dmz/lan and XY is any service. > > the key about vpn-filter ACL is that..... remote addresses (i.e. SSL VPN > address in your case) would always act as a source, even though there would > be a chance that inside/core user would access any service on the remote > address. For example, if you want to enable remote desktop functionatility > from your core to the ssl users then the vpn-filter acl would like the > following in addition to regular OUTBOUND ACL on the inside interface. > > access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 eq > 3389 192.168.x.x 255.255.0.0 gt 1023 > > see page 9 of the following link. > http://www.cisco.com/image/gif/paws/99103/pix-asa-vpn-filter.pdf > > > > > FNK. > ================================================= > > > FNK > > > > On Tue, May 1, 2012 at 7:03 PM, Eugene Pefti <[email protected]>wrote: > > That's quite a workaround ;) > > > -----Original Message----- > From: Matt Hill [mailto:[email protected]] > Sent: 01 May 2012 15:35 > To: Eugene Pefti > Cc: Piotr Matusiak > Subject: Re: [OSL | CCIE_Security] AnyConnect per group ACLs > > How we got it to work was by using DAP, a new(ish) feature... > > We got the RADIUS to send the AD group to the ASA then the ASA applies an > ACL based on the received attribute from the RADIUS. > > Cheers for your help, > Matt > > On 20 April 2012 05:02, Eugene Pefti <[email protected]> wrote: > > And don't forget about the tricky logic of this ACL, Matt. > > > > The source are IP in VPN pool and destination are hosts protected by > > the firewall. > > > > > > > > Eugene > > > > > > > > > > > > From: ccie_security-bounces@onlinestudylist > > -- FNK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
