Quick ACL question... I hope :)

I have been configuring ACLs on an ASA 5510 and I have found some things that are somewhat limiting. I'm sure this is because I don't full understand the ACL structuring but I wanted to ask some professionals.

As you know, the ASA series acts as both a firewall and VPN concentrator. By placing the concentrator within the firewall, it has introducted some unique challenges when writing my ACLs. I currently allow my VPN clients to browse the web while connected to VPN but NOT with split tunneling. I have their VPN addresses NATed to the oustide interface of the firewall. The problem is the order of processing on the ASA box.

ASA checks the packet for destination (which is outbound to the Internet) ASA NATs the client request for the outbound interface ASA checks the ACL on the outbound interface

The key problem here is the ACL is not checked until after the person is NATed. So my ACL that I write has absolutely no effect on the client unless i write it to the "any" or write it to the NATed ip they will be getting. I know the ACL is correct because if I move the ACL to the ingress of the internal interface and try to attempt denied protocols, i am denied as expected. I confirmed the order of operations in an ASA book that I have so I am moved to ask, how do you restrict your VPN client pool addresses housed within the ASA without changing the restrictions on the rest of your traffic passing through the ASA?

Regards, Train

PS. Here is my ACL in case I have something incorrect. access-list outside_out permit tcp 10.1.1.1 255.255.255.0 any eq www access-list outside_out permit tcp 10.1.1.1 255.255.255.0 any eq https access-list outside_out deny ip 10.1.1.1 255.255.255.0 any access-list outside_out permit ip any any access-group outside_out out interface outside

My goal is to restrict the VPN users to 80 and 443 traffic while not restricting my other flow of data through the ASA. The above configuration DOES NOT work.

Reply to
XxTRAINxX
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.