Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1076
Views
0
Helpful
3
Replies

anyconnect vpn issue

Go to solution
hamedha
Level 1
Level 1

‎01-09-2019 12:11 AM - edited ‎02-21-2020 08:38 AM

Hell

I configure SSL vpn by use any connect option from outside interface through internet

when I finish the installion I can access to outside by web for install anyconnet agent 

that fine 

 

but i have problem that the ssl web browser allow for any user to open the page so i want the web browser page only available 

for one user by choice ip address 

how can i do that ?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to hamedha

‎01-09-2019 02:11 AM

Add the control-plane keyword to your last statement:

 

access-group OUT_IN in interface outside control-plane

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-09-2019 01:25 AM

If I understand correctly you only want a single known remote IP address to be able to connect to your SSL VPN.

 

To do that, you would need to use an ACL with the "control-plane" option. That makes the ACL apply to traffic TO the ASA (vs. the normal usage which affects traffic THROUGH the ASA).

 

Here is a good article on how to do that.

 

http://resources.intenseschool.com/to-the-box-traffic-filtering-on-cisco-asa/

 

It was written for the old IPsec VPN client but you can easily adapt the method to specify tcp 443 (default for SSL/TLS used by AnyConnect clients unless you've specified an alternate port) as the destination transport protocol (tcp) and port (443).

0 Helpful

Go to solution
hamedha
Level 1
Level 1
In response to Marvin Rhoads

‎01-09-2019 01:59 AM 

object-group network ALLOWED_VPN_HOSTS
 network-object host x.x.x.x
access-list OUT_IN extended permit tcp object-group ALLOWED_VPN_HOSTS host x.x.x.x
access-group OUT_IN in interface outside

 i did this access list as your requirement but same problem which i can access to ssl vpn by any user from outside

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to hamedha

‎01-09-2019 02:11 AM

Add the control-plane keyword to your last statement:

 

access-group OUT_IN in interface outside control-plane

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card