Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
858
Views
0
Helpful
5
Replies

ASA Any Connect VPN Login web page restriction with IP and has to access vai Domain Name alone

Sureshkumar B
Level 1
Level 1

‎06-27-2017 10:38 PM - edited ‎03-12-2019 02:38 AM

Hi Team,

We have any connect VPN and Firewall VPN IP is registered to a domain with SSL Certificate. So remote client can access any connect url with domain and IP as well to connect VPN.

In this scenario, we need to restrict the Any connect URL through Public IP. We need any connect URL has to be accessed through domain URL alone and not with the IP address. Your valuable inputs are highly appreciated.

Regards,

Suresh.

Labels:
0 Helpful
5 Replies 5

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-28-2017 03:25 AM

I don't believe that's possible.

When a client connects, the connection request is translated from the FQDN the client provides into an IP address by the client's local resolver (host file or DNS server(s)).

So even when the client goes to your URL, the request will actuallly come in as an IP address of the clietn-facing interface that the FQDN resolves to.

0 Helpful

Sureshkumar B
Level 1
Level 1
In response to Marvin Rhoads

‎07-01-2017 05:34 AM

Hi Marvin,

Thanks for your response. 

Yes i do agree at the end, IP to IP communication only happens. But my concern is, if client machine enter https://x.x.x.x ip in browser instead of domain name, certificate warning will come and if client machine accept the certicate warning it will display the VPN portal. 

We don't want client machine to access VPN portal if certificate issues comes/certificate warning arises.

regards,

Suresh.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Sureshkumar B

‎07-01-2017 07:53 AM

Ah OK - yes you can prevent it at the client side. I was answering from the ASA perspective.

If you set the profile to use "Strict Certificate Trust", it will accomplish what you are asking.

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/anyconnect-profile-editor.html#ID-1430-0000006c

0 Helpful

Sureshkumar B
Level 1
Level 1
In response to Marvin Rhoads

‎07-01-2017 08:09 AM

thanks for your reponse, i am new to Cisco ASA. Can you please explain it in more detail.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Sureshkumar B

‎07-01-2017 08:32 AM

Remote Access SSL VPN on the ASA, which uses the AnyConnect client, has something called the client profile.

When you use it (it's optional for the admin to define one), the profile governs multiple settings about how the client connects. Every time the client connects, the ASA checks to ensure the local copy of the profile is current (it uses a hash of the file to compare the one on the ASA with the one on the client). Thus all the settings are ensured to be correct.

The local policy is the other piece governing AnyConnect client behavior. It is not deployed from the ASA but is stored locally on the client. We typically deploy it using something like SCCM. Unfortunately, it is subject to end user modification unless you lock down the remote workstations to prevent it from happening.

The local policy is where the "Strict Certificate Trust" setting is located. You can create and send out a local policy using the Anyconnect profile editor software available on the AnyConnect downloads page.

Both the profile and the local policy are small xml files that are pretty much human readable. They can also be manually edited. for instance, the following output and associated GUI settings are representations of the same thing:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectLocalPolicy xmlns="http://schemas.xmlsoap.org/encoding/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/ AnyConnectLocalPolicy.xsd" acversion="3.0.0592">
 <FipsMode>true</FipsMode>
 <BypassDownloader>true</BypassDownloader>
 <RestrictWebLaunch>true</RestrictWebLaunch>
 <StrictCertificateTrust>true</StrictCertificateTrust>
 <EnableCRLCheck>false</EnableCRLCheck>
 <RestrictPreferenceCaching>false</RestrictPreferenceCaching>
 <ExcludePemFileCertStore>false</ExcludePemFileCertStore>
 <ExcludeMacNativeCertStore>false</ExcludeMacNativeCertStore>
 <ExcludeFirefoxNSSCertStore>false</ExcludeFirefoxNSSCertStore>
 <UpdatePolicy>
 <AllowSoftwareUpdatesFromAnyServer>true</AllowSoftwareUpdatesFromAnyServer>
 <AllowVPNProfileUpdatesFromAnyServer>true</AllowVPNProfileUpdatesFromAnyServer>
 <AllowServiceProfileUpdatesFromAnyServer>true</AllowServiceProfileUpdatesFromAnyServer>
 <AllowISEProfileUpdatesFromAnyServer>true</AllowISEProfileUpdatesFromAnyServer>
 <AllowComplianceModuleUpdatesFromAnyServer>true</AllowComplianceModuleUpdatesFromAnyServer>
 </UpdatePolicy>
</AnyConnectLocalPolicy>

You can edit the policy and deploy it as described here:

http://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect44/administration/guide/b_AnyConnect_Administrator_Guide_4-4/anyconnect-profile-editor.html#ID-1430-0000032f

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card