topic Re: anyconnect vpn issue in Network Security

anyconnect vpn issue

hamedha — Fri, 21 Feb 2020 16:38:41 GMT

Hell

I configure SSL vpn by use any connect option from outside interface through internet

when I finish the installion I can access to outside by web for install anyconnet agent

that fine

but i have problem that the ssl web browser allow for any user to open the page so i want the web browser page only available

for one user by choice ip address

how can i do that ?

Re: anyconnect vpn issue

Marvin Rhoads — Wed, 09 Jan 2019 09:25:07 GMT

If I understand correctly you only want a single known remote IP address to be able to connect to your SSL VPN.

To do that, you would need to use an ACL with the "control-plane" option. That makes the ACL apply to traffic TO the ASA (vs. the normal usage which affects traffic THROUGH the ASA).

Here is a good article on how to do that.

http://resources.intenseschool.com/to-the-box-traffic-filtering-on-cisco-asa/

It was written for the old IPsec VPN client but you can easily adapt the method to specify tcp 443 (default for SSL/TLS used by AnyConnect clients unless you've specified an alternate port) as the destination transport protocol (tcp) and port (443).

Re: anyconnect vpn issue

hamedha — Wed, 09 Jan 2019 09:59:58 GMT

object-group network ALLOWED_VPN_HOSTS
 network-object host x.x.x.x
access-list OUT_IN extended permit tcp object-group ALLOWED_VPN_HOSTS host x.x.x.x
access-group OUT_IN in interface outside

i did this access list as your requirement but same problem which i can access to ssl vpn by any user from outside

Re: anyconnect vpn issue

Marvin Rhoads — Wed, 09 Jan 2019 10:11:15 GMT

Add the control-plane keyword to your last statement:

access-group OUT_IN in interface outside control-plane