• Advertisement

blocking websites for offline ipsec vpn users

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.

blocking websites for offline ipsec vpn users

Postby Guest » Sun Jan 09, 2011 2:10 pm

Hi,

We are using asa 5520s as our firewalls and our salespeople connect in over ipsec with vpn client v5. with our previous checkpoint firewalls and clients we could add a default policy which would be active while the client was not connected which would limit which websites the salespeople could visit while not connected to the firewall.

with our new cisco setup we are able to restrict what websites they visit while they are connected but once they disconnect from the firewall they have unrestricted access to the web. Is there a way to limit this to a list of predefined business related sites?

Thanks,

Sam

Guest
 

Advertisement

Re:blocking websites for offline ipsec vpn users

Postby Guest » Sun Jan 09, 2011 2:34 pm

Hi,

 

How do you restrict the websites the clients visit while they e connected?

Are you using the Firewall feature for VPN?

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/vpngrp.html#wp1182773

 

You can use the ASA to block access to specific websites using MPF.

 

Federico.

Guest
 

Re:blocking websites for offline ipsec vpn users

Postby Guest » Sun Jan 09, 2011 2:48 pm

Hi Fredrico,

 

At the moment they are blocked from accessing non business related websites while connected because we have only specified the sites they are allowed access in the acl that has been applied to the ip pool the vpn clients use. however once they disconnect they can acess any sites.

 

(with the checkpoint vpn-1 client a default policy was pushed down from the server with the vpn policy. once the client disconnected from the vpn the default policy kicked in and would block them from accessing sites not specified in the policy.)

 

so at the moment the asa blocks anyone with an address in the vpn ip pool from accessing any website not in its acl. is there a way to push a policy to the cisco vpn client statefull firewall to do the same even when the client is not connected to the firewall?

(apologies if im using the wrong terminology here or if im missing something basic but im new to cisco firewalls )

 

Thanks,

Sam

Guest
 

Re:blocking websites for offline ipsec vpn users

Postby Guest » Sun Jan 09, 2011 2:49 pm

Another thought has occured to me, is it possible to block them from accessing all web sites when they are not connected by enforcing a proxy on the laptops? this might work, basically its more important that they be blocked from non business sites when they are not connected to the vpn than to allow them access to business sites when they are not on the vpn.

Guest
 

Re:blocking websites for offline ipsec vpn users

Postby Guest » Sun Jan 09, 2011 4:15 pm

Sorry for the late response.

I don think you can inject a customized firewall policy rule to the VPN client when they are not connected.

You can use the stateful always on firewall but you can customize it as far as Im aware.

Enforcing a proxy on the laptops as you describe might be a better solution.

 

Federico.

Guest
 



  • Advertisement


Similar topics

Cisco VTI site to site IPSEC VPN Tunnel
Forum: Cisco Security
Author: ellafi
Replies: 0

WRVS4400N IPSEC VPN
Forum: Small Business Routers
Author: Anonymous
Replies: 8

IPSEC VPN Hairpinning/Uturn Problems with internal net connections
Forum: Virtual Private Networks
Author: Anonymous
Replies: 0

ASA Blocking VPN access
Forum: Cisco Security
Author: Anonymous
Replies: 12

Context with IPSec VPN
Forum: Virtual Private Networks
Author: Anonymous
Replies: 0


Return to Virtual Private Networks

Who is online

Users browsing this forum: No registered users and 1 guest

cron