topic Re: Cisco ASA 5506, Trying to limit access to network using Anyconnect in Network Security

Cisco ASA 5506, Trying to limit access to network using Anyconnect

kcousino123 — Thu, 30 May 2024 17:26:30 GMT

I am implementing Anyconnect SSL client VPN and I only want 2 users to be able to access the network on this connection. How can I restrict that access? I have found different thoughts on this but nothing that seems to work. Please help.

Thanks,

Ken

Re: Cisco ASA 5506, Trying to limit access to network using Anyconnect

Rob Ingram — Thu, 30 May 2024 17:33:06 GMT

@kcousino123

A couple of options, you can configure "vpn-simultaneous-logins 2" under the group policy to restrict the number of connections.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/vpn/asa-914-vpn-config/vpn-groups.html?bookSearch=true

Example:

hostname(config)# group-policy <group policy name> attributes
hostname(config-group-policy)# vpn-simultaneous-logins 2

If the ASA is unlicensed you get 2 free RAVPN licenses, so you may not need to do anything.

Another option is to configure a VPN pool with only 2 IP addresses, that will achieve the samething as the other options.

Re: Cisco ASA 5506, Trying to limit access to network using Anyconnect

MHM Cisco World — Thu, 30 May 2024 17:40:30 GMT

What you try and not work?

MHM

Re: Cisco ASA 5506, Trying to limit access to network using Anyconnect

kcousino123 — Thu, 30 May 2024 17:57:21 GMT

I am trying to stop attempts to connect by all except 2 or 3 users.

Re: Cisco ASA 5506, Trying to limit access to network using Anyconnect

kcousino123 — Thu, 30 May 2024 17:59:10 GMT

I am using a nonstandard port and I tried blocking traffic with an acl and thought I applied it to the control plane.

Re: Cisco ASA 5506, Trying to limit access to network using Anyconnect

MHM Cisco World — Thu, 30 May 2024 18:01:01 GMT

All except two user that have correct password?

How other connect with wrong password?

MHM

Re: Cisco ASA 5506, Trying to limit access to network using Anyconnect

kcousino123 — Thu, 30 May 2024 18:10:19 GMT

I am wanting to stop people from even getting through to have the option to try to log in.

Re: Cisco ASA 5506, Trying to limit access to network using Anyconnect

Marvin Rhoads — Fri, 31 May 2024 02:36:44 GMT

Stopping successful logins is easy. Stopping ATTEMPTS is much more difficult. Yes, you can build (and continually update) control-plane ACLs but that will make your full-time job keeping up with them.

Two other methods are:

1. Use an unpublished URL for the desired connection profile. For the default profile, point it to a dummy of blackhole AAA server. You will still get attempts but they won't bombard your legitimate authentication source.

2. If you have a PKI, issue certificates to the permitted users and make certificate-based authentication the only allowed method. This will prevent random scans from ever even trying to authenticate since they will be offering random usernames and passwords.

No matter what method you use, inbound traffic will still be seen (and blocked) by the firewall. That is the nature of being connected to the modern Internet.

Re: Cisco ASA 5506, Trying to limit access to network using Anyconnect

kcousino123 — Fri, 31 May 2024 18:36:46 GMT

Marvin,

For the control-plane ACL, if I block everything except the 2 or 3 IPs that I want to allow, isn't that less work?

For #1, I don't know how you point it to a dummy of blackhole AAA server.

For #2, makes sense, but since I have never done that I now have some research to do.

Thanks for the help.

Re: Cisco ASA 5506, Trying to limit access to network using Anyconnect

Marvin Rhoads — Sat, 01 Jun 2024 11:24:16 GMT

If your remote clients are always on the same addresses, then yes you could block all but them.

For the other suggestions, please see these documents:

https://www.cisco.com/c/en/us/support/docs/security/secure-firewall-threat-defense/221806-password-spray-attacks-impacting-custome.html

https://www.cisco.com/c/en/us/support/docs/security/secure-client/221880-implement-hardening-measures-for-secure.html

Re: Cisco ASA 5506, Trying to limit access to network using Anyconnect

MHM Cisco World — Sat, 01 Jun 2024 11:33:49 GMT

NOW since you try something try below
1- change the WebVPN to be 8443 not 443
2- run ACL control-plane
access-list extended WebVPN permit tcp host < > any eq 8443 <<- host public IP you want to allow
access-list extended WebVPN deny tcp any any eq 8443
access-list extended WebVPN deny tcp any any eq 443 <<- this can also block the ASDM or any HTTPS mgmt to FW

that it the Control-plane ACL dont have implicit deny in end so you dont need permit ip any any

MHM

Re: Cisco ASA 5506, Trying to limit access to network using Anyconnect

kcousino123 — Tue, 04 Jun 2024 18:54:16 GMT

Do you still need to use an Access-group for this?

Re: Cisco ASA 5506, Trying to limit access to network using Anyconnect

MHM Cisco World — Tue, 04 Jun 2024 19:12:52 GMT

Yes you need access group with keyword control plane

Note:- no need to apply below line except case you still see some host try access asa via this port

tcp any any eq 443 <<- this can also block the ASDM or any HTTPS mgmt to FW

MHM