IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
We are using asa 5520s as our firewalls and our salespeople connect in over ipsec with vpn client v5. with our previous checkpoint firewalls and clients we could add a default policy which would be active while the client was not connected which would limit which websites the salespeople could visit while not connected to the firewall.
with our new cisco setup we are able to restrict what websites they visit while they are connected but once they disconnect from the firewall they have unrestricted access to the web. Is there a way to limit this to a list of predefined business related sites?
At the moment they are blocked from accessing non business related websites while connected because we have only specified the sites they are allowed access in the acl that has been applied to the ip pool the vpn clients use. however once they disconnect they can acess any sites.
(with the checkpoint vpn-1 client a default policy was pushed down from the server with the vpn policy. once the client disconnected from the vpn the default policy kicked in and would block them from accessing sites not specified in the policy.)
so at the moment the asa blocks anyone with an address in the vpn ip pool from accessing any website not in its acl. is there a way to push a policy to the cisco vpn client statefull firewall to do the same even when the client is not connected to the firewall?
(apologies if im using the wrong terminology here or if im missing something basic but im new to cisco firewalls )
Another thought has occured to me, is it possible to block them from accessing all web sites when they are not connected by enforcing a proxy on the laptops? this might work, basically its more important that they be blocked from non business sites when they are not connected to the vpn than to allow them access to business sites when they are not on the vpn.
Sorry for the late response.
I don think you can inject a customized firewall policy rule to the VPN client when they are not connected.
You can use the stateful always on firewall but you can customize it as far as Im aware.
Enforcing a proxy on the laptops as you describe might be a better solution.