How can I configure Linux Server Firewall for Cisco AnyConnect?

Instructions for configuring a linux server's firewall rules to allow connections via Cisco AnyConnect.

You should already have an internal firewall zone to restrict access to services (ssh is the most relevant example of a service restricted to internal sources) to hosts from your own VLAN. This firewall rule is already present on all ACCC-managed systems, but if you manage your own system and you haven't already done this, create a new firewall zone called 'internal' like this:

sudo firewall-cmd --new-zone=internal --permanent

then, run the following command to restrict source traffic to your own VLAN:

sudo firewall-cmd --add-source=10.0.0.0/8 --zone=internal --permanent

Once your internal zone is set up, add the specific address range assigned to your specific VPN context (replace X of course with your own assigned number):

sudo firewall-cmd --add-source=172.21.X.0/24 --zone=internal --permanent

Finally, make sure to restart your firewall service to load the new rules in:

sudo firewall-cmd --reload



Keywords:linux, vpn, firewall, cli   Doc ID:87627
Owner:Will M.Group:University of Illinois at Chicago ACCC
Created:2018-11-08 10:36 CSTUpdated:2019-10-24 12:51 CST
Sites:University of Illinois at Chicago ACCC
Feedback:  0   0