Are you talking about GETVPN?
With regards Kings On Wed, May 2, 2012 at 6:18 PM, Fawad Khan <[email protected]> wrote: > There are two ways to handle that situation which You mentioned. > > 1. An outbound acl on the inside/DMz interface. So that inside hosts > cannot initiate the traffic because of the unnecessary hole created by acl. > 2. This one is not very restrictive but still better than something I.e > instead of having the acl like you mentioned > Permit tcp vpn ip host 10.20.30.40 23 > > Use this acl > Permit tcp VPN ip gt 1023 host 10.20.30.40 23 > > > FNK > > > On Wednesday, May 2, 2012, Kingsley Charles wrote: > >> ASA VPN filter is tricky, but one think to remember is that is >> directional. >> >> permit tcp any host 10.20.30.40 eq 23 >> >> Now this ACL will permit outside user to connect to >> 10.20.30.40@23(inbound/post decrypt) and at the same time allow >> 10.20.30.40@23(outbound/pre-encrypt) to any one outside. >> >> >> Have your tried the "match acl" in GETVPN crypto map? Seems it also bears >> a similar property. >> >> >> We can add an ACL with only "deny" entries and precedes the donwloaded >> acl from KS and those traffic are bypassed. This bypass is for outbound. >> What about inbound? The mirror traffic should also be bypassed,right? >> Whether the same ACE is going to the job. It has not been the case for me. >> >> >> >> With regards >> Kings >> >> On Wed, May 2, 2012 at 1:54 PM, Fawad Khan <[email protected]> wrote: >> >> Not the outside network specifically, by remote I mean ip address from >> the VPN pool (which is from perspective outside of the network but another >> perspective it's "now" part of the network after connecting to VPN. >> >> >> On Wednesday, May 2, 2012, Kingsley Charles wrote: >> >> Is 10.X.X.0/24 outside network? >> >> The format for vpn filter is always >> >> access-list name permit <outside IP> <outside port> <inside IP> <inside >> port> irrespective of whatever is the direction of traffic >> (inbound/outbound). >> >> Is this what you said? >> >> >> >> With regards >> Kings >> >> On Wed, May 2, 2012 at 7:21 AM, Fawad Khan <[email protected]> wrote: >> >> Matt, >> >> As others have said. VPN-Filter will do the job.. however as Eugene >> pointed out, the ACL is tricky...... remember that SOURCE in the ACL is >> always REMOTE (no matter who is initiating the connection). Check this old >> email I wrote couple of months back. it will give you a link as well. >> >> =================================== >> >> >> >> Antonio, >> >> >> I think you have guessed it right, i.e. VPN-Filter under group-policy. I >> usually put something like following in the vpn-filter acl. >> >> access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 >> gt 1023 192.168.x.x 255.255.0.0 eq XYZ. >> >> where 10.x.x.x is ssl vpn subnet and 192.168.x.x is on the core >> network/dmz/lan and XY is any service. >> >> the key about vpn-filter ACL is that..... remote addresses (i.e. SSL VPN >> address in your case) would always act as a source, even though there would >> be a chance that inside/core user would access any service on the remote >> address. For example, if you want to enable remote desktop functionatility >> from your core to the ssl users then the vpn-filter acl would like the >> following in addition to regular OUTBOUND ACL on the inside interface. >> >> access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 >> eq 3389 192.168.x.x 255.255.0.0 gt 1023 >> >> see page 9 of the following link. >> http://www.cisco.com/image/gif/paws/99103/pix-asa-vpn-filter.pdf >> >> >> >> >> FNK. >> ================================================= >> >> >> FNK >> >> >> >> On Tue, May 1, 2012 at 7:03 PM, Eugene Pefti <[email protected]>wrote: >> >> That's quite a workaround ;) >> >> >> -----Original Message----- >> From: Matt Hill [mailto:[email protected]] >> Sent: 01 May 2012 15:35 >> To: Eugene Pefti >> Cc: Piotr Matusiak >> Subject: Re: [OSL | CCIE_Security] AnyConnect per group ACLs >> >> How we got it to work was by using DAP, a new(ish) feature... >> >> We got the RADIUS to send the AD group to the ASA then the ASA ap >> >> > > -- > FNK >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
