Question : Cisco VPN and Split Tunneling

Hi Everyone,
    I have an issue with a new remtoe access Cisco VPN setup. It needs to be a pretty secure connection so I only want people on this VPN group to have access to certain ports. Below is a statement for my split tunnel acl and it works fine no problems.

extended permit ip host 192.168.100.2 10.254.254.0 255.255.255.0

but I want to lock it down so the VPN users on 10.254.254.0 can only have access to port 80 on 192.168.100.2 so when I remove the rule above and replace it with the following rule I can only longer access port 80

extended permit tcp host 192.168.100.2 10.254.254.0 255.255.255.0 eq 80

Can someone explain what I may be doing wrong in this case? I am usisng a 515 Pix on version 7.2

Answer : Cisco VPN and Split Tunneling

Another solution can be using vpn-filter:

access-list filter permit tcp 10.254.254.0 255.255.255.0 host 192.168.100.2 eq 80
access-list filter deny tcp 10.254.254.0 255.255.255.0 host 192.168.100.2
access-list filter permit ip any any

Assuming that u r using DfltGrpPolicy as the group-policy for remote-access:

group-policy DfltGrpPolicy attributes
 vpn-filter filter

The advantage of using vpn-filter is that it will not even allow denied traffic to go to local network. Whereas, in the other method, only the reply from the local-network is denied. The local network will still be getting requests which is meant to be denied.
Random Solutions  
 
programming4us programming4us