topic I don't believe that's in Network Security

ASA Any Connect VPN Login web page restriction with IP and has to access vai Domain Name alone

Sureshkumar B — Tue, 12 Mar 2019 09:38:10 GMT

Hi Team,

We have any connect VPN and Firewall VPN IP is registered to a domain with SSL Certificate. So remote client can access any connect url with domain and IP as well to connect VPN.

In this scenario, we need to restrict the Any connect URL through Public IP. We need any connect URL has to be accessed through domain URL alone and not with the IP address. Your valuable inputs are highly appreciated.

Regards,

Suresh.

I don't believe that's

Marvin Rhoads — Wed, 28 Jun 2017 10:25:27 GMT

I don't believe that's possible.

When a client connects, the connection request is translated from the FQDN the client provides into an IP address by the client's local resolver (host file or DNS server(s)).

So even when the client goes to your URL, the request will actuallly come in as an IP address of the clietn-facing interface that the FQDN resolves to.

Hi Marvin,

Sureshkumar B — Sat, 01 Jul 2017 12:34:37 GMT

Hi Marvin,

Thanks for your response.

Yes i do agree at the end, IP to IP communication only happens. But my concern is, if client machine enter https://x.x.x.x ip in browser instead of domain name, certificate warning will come and if client machine accept the certicate warning it will display the VPN portal.

We don't want client machine to access VPN portal if certificate issues comes/certificate warning arises.

regards,

Suresh.

Ah OK - yes you can prevent

Marvin Rhoads — Sat, 01 Jul 2017 14:53:04 GMT

Ah OK - yes you can prevent it at the client side. I was answering from the ASA perspective.

If you set the profile to use "Strict Certificate Trust", it will accomplish what you are asking.

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/anyconnect-profile-editor.html#ID-1430-0000006c

thanks for your reponse, i am

Sureshkumar B — Sat, 01 Jul 2017 15:09:07 GMT

thanks for your reponse, i am new to Cisco ASA. Can you please explain it in more detail.

Remote Access SSL VPN on the

Marvin Rhoads — Sat, 01 Jul 2017 15:32:16 GMT

Remote Access SSL VPN on the ASA, which uses the AnyConnect client, has something called the client profile.

When you use it (it's optional for the admin to define one), the profile governs multiple settings about how the client connects. Every time the client connects, the ASA checks to ensure the local copy of the profile is current (it uses a hash of the file to compare the one on the ASA with the one on the client). Thus all the settings are ensured to be correct.

The local policy is the other piece governing AnyConnect client behavior. It is not deployed from the ASA but is stored locally on the client. We typically deploy it using something like SCCM. Unfortunately, it is subject to end user modification unless you lock down the remote workstations to prevent it from happening.

The local policy is where the "Strict Certificate Trust" setting is located. You can create and send out a local policy using the Anyconnect profile editor software available on the AnyConnect downloads page.

Both the profile and the local policy are small xml files that are pretty much human readable. They can also be manually edited. for instance, the following output and associated GUI settings are representations of the same thing:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectLocalPolicy xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectLocalPolicy.xsd" acversion="3.0.0592">
 <FipsMode>true</FipsMode>
 <BypassDownloader>true</BypassDownloader>
 <RestrictWebLaunch>true</RestrictWebLaunch>
 <StrictCertificateTrust>true</StrictCertificateTrust>
 <EnableCRLCheck>false</EnableCRLCheck>
 <RestrictPreferenceCaching>false</RestrictPreferenceCaching>
 <ExcludePemFileCertStore>false</ExcludePemFileCertStore>
 <ExcludeMacNativeCertStore>false</ExcludeMacNativeCertStore>
 <ExcludeFirefoxNSSCertStore>false</ExcludeFirefoxNSSCertStore>
 <UpdatePolicy>
 <AllowSoftwareUpdatesFromAnyServer>true</AllowSoftwareUpdatesFromAnyServer>
 <AllowVPNProfileUpdatesFromAnyServer>true</AllowVPNProfileUpdatesFromAnyServer>
 <AllowServiceProfileUpdatesFromAnyServer>true</AllowServiceProfileUpdatesFromAnyServer>
 <AllowISEProfileUpdatesFromAnyServer>true</AllowISEProfileUpdatesFromAnyServer>
 <AllowComplianceModuleUpdatesFromAnyServer>true</AllowComplianceModuleUpdatesFromAnyServer>
 </UpdatePolicy>
</AnyConnectLocalPolicy>

You can edit the policy and deploy it as described here:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/anyconnect-profile-editor.html#ID-1430-0000032f