No still on any connect VPN-filter
On Wednesday, May 2, 2012, Kingsley Charles wrote: > Are you talking about GETVPN? > > > With regards > Kings > > On Wed, May 2, 2012 at 6:18 PM, Fawad Khan <[email protected]> wrote: > > There are two ways to handle that situation which You mentioned. > > 1. An outbound acl on the inside/DMz interface. So that inside hosts > cannot initiate the traffic because of the unnecessary hole created by acl. > 2. This one is not very restrictive but still better than something I.e > instead of having the acl like you mentioned > Permit tcp vpn ip host 10.20.30.40 23 > > Use this acl > Permit tcp VPN ip gt 1023 host 10.20.30.40 23 > > > FNK > > > On Wednesday, May 2, 2012, Kingsley Charles wrote: > > ASA VPN filter is tricky, but one think to remember is that is directional. > > permit tcp any host 10.20.30.40 eq 23 > > Now this ACL will permit outside user to connect to > 10.20.30.40@23(inbound/post decrypt) and at the same time allow > 10.20.30.40@23(outbound/pre-encrypt) to any one outside. > > > Have your tried the "match acl" in GETVPN crypto map? Seems it also bears > a similar property. > > > We can add an ACL with only "deny" entries and precedes the donwloaded acl > from KS and those traffic are bypassed. This bypass is for outbound. What > about inbound? The mirror traffic should also be bypassed,right? Whether > the same ACE is going to the job. It has not been the case for me. > > > > With regards > Kings > > On Wed, May 2, 2012 at 1:54 PM, Fawad Khan <[email protected]> wrote: > > Not the outside network specifically, by remote I mean ip address from the > VPN pool (which is from perspective outside of the network but another > perspective it's "now" part of the network after connecting to VPN. > > > On Wednesday, May 2, 2012, Kingsley Charles wrote: > > Is 10.X.X.0/24 outside network? > > The format for vpn filter is always > > access-list name permit <outside IP> <outside port> <inside IP> <inside > port> irrespective of whatever is the direction of traffic > (inbound/outbound). > > Is this what you said? > > > > With regards > Kings > > On Wed, May 2, 2012 at 7:21 AM, Fawad Khan <[email protected]> wrote: > > Matt, > > As others have said. VPN-Filter will do the job.. however as Eugene > pointed out, the ACL is tricky...... remember that SOURCE in the ACL is > always REMOTE (no matter who is initiating the connection). Check this old > email I wrote couple of months back. it will give you a link as well. > > =================================== > > > > Antonio, > > > I think you have guessed it right, i.e. VPN-Filter under group-policy. I > usually put something like following in the vpn-filter acl. > > access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 gt > 1023 192.168.x.x 255.255.0.0 eq XYZ. > > where 10.x.x.x is ssl vpn subnet and 192.168.x.x is on the core > network/dmz/lan and XY is any service. > > the key about vpn-filter ACL is that..... remote addresses (i.e. SSL VPN > address in your case) would always act as a source, even though there would > be a chance that inside/core user would access any service on the remote > address. For example, if you want to enable remote desktop functionatility > from your core to the ssl users then the vpn-filter acl would like the > following in addition to regular OUTBOUND ACL on the inside interface. > > access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 eq > > -- FNK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
