05-20-2015 08:52 AM - edited 03-11-2019 10:58 PM
I'm enabling 'webvpn' on an ASA firewall, and when I do this, it appears to open TCP/443 on the Outside Interface, to SRC=0.0.0.0. I'm lucky enough to know the SRC's of all my VPN customers, so I'd like to limit TCP/443 being visible to JUST them, and not the entire Internet at large. Is this a possibility? Or, is it manditory that the Outside Interface be open to the entire Public Internet on TCP/443? I also have the 'sysopt' option for vpn-connect turned off; I'd like all my VPN traffic to go thru the ACLs.
Of course my VPN is protected by username / PW, but I'm interested in "defense in depth" -- I'd rather not open TCP/443 to 4 billion people on the Internet, when I only have 10 people who are going to log into my VPN...
Thanks in advance!
Solved! Go to Solution.
05-20-2015 09:04 AM
Hi,
You can use the 'control-plane' ACL to block the source IP addresses to connect to the any connect services.
Refer:-
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html#pgfId-1597389
Beware of this Defect:-
Defect:- CSCud99081
https://tools.cisco.com/bugsearch/bug/CSCud99081/?reffering_site=dumpcr
Thanks and Regards,
Vibhor Amrodia
05-20-2015 09:04 AM
Hi,
You can use the 'control-plane' ACL to block the source IP addresses to connect to the any connect services.
Refer:-
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html#pgfId-1597389
Beware of this Defect:-
Defect:- CSCud99081
https://tools.cisco.com/bugsearch/bug/CSCud99081/?reffering_site=dumpcr
Thanks and Regards,
Vibhor Amrodia
05-20-2015 05:10 PM
Just what I was looking for! I knew there was a seperate ACL that governs traffic TO the interface, versus THRU the interface... I'll try this out & post back....
05-21-2015 07:08 PM
The recommendation to use the control-plane method worked! I'll be marking Vibhor Amrodia's suggestion as the 'correct response'. But first, question: If I have a bunch of laptops with the Cisco AnyConnect Secure Mobility Client v3.0. Can I also install Cisco AnyConnect 2.5 client on the same laptops? Will the clients work properly & co-exist? or do I need to find a way to add a new Connection Profile to the Mobility Client, for my new VPN? Thanks again!
05-21-2015 09:33 PM
Hi,
If you try to connect to the ASA device suing the Any connect 2.5 , it will try to upgrade the client automatically.
Thanks and Regards,
Vibhor Amrodia
05-22-2015 09:25 AM
I have the AnyConnect 2.5 image in the ASA. The laptop I'm using to connect for the first time, already has AnyConnect SecureMobility 3.0 on it. Can I run the installer for AnyConnect 2.5 on a laptop that already has AnyConnect SecureMobility 3.0 on it?
What I want to avoid is destroying the configuration of the SecureMobility client so I can't connect to my corporate VPN anymore.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: