Solved: webvpn on ASA opens TCP/443 to entire Internet?

abatson · ‎05-20-2015

I'm enabling 'webvpn' on an ASA firewall, and when I do this, it appears to open TCP/443 on the Outside Interface, to SRC=0.0.0.0. I'm lucky enough to know the SRC's of all my VPN customers, so I'd like to limit TCP/443 being visible to JUST them, and not the entire Internet at large. Is this a possibility? Or, is it manditory that the Outside Interface be open to the entire Public Internet on TCP/443? I also have the 'sysopt' option for vpn-connect turned off; I'd like all my VPN traffic to go thru the ACLs.

Of course my VPN is protected by username / PW, but I'm interested in "defense in depth" -- I'd rather not open TCP/443 to 4 billion people on the Internet, when I only have 10 people who are going to log into my VPN...

Thanks in advance!

Vibhor Amrodia · ‎05-20-2015

Hi,

You can use the 'control-plane' ACL to block the source IP addresses to connect to the any connect services.

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html#pgfId-1597389

Beware of this Defect:-

Defect:- CSCud99081

https://tools.cisco.com/bugsearch/bug/CSCud99081/?reffering_site=dumpcr

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Vibhor Amrodia · ‎05-20-2015

Hi,

You can use the 'control-plane' ACL to block the source IP addresses to connect to the any connect services.

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html#pgfId-1597389

Beware of this Defect:-

Defect:- CSCud99081

https://tools.cisco.com/bugsearch/bug/CSCud99081/?reffering_site=dumpcr

Thanks and Regards,

Vibhor Amrodia

abatson · ‎05-20-2015

Just what I was looking for! I knew there was a seperate ACL that governs traffic TO the interface, versus THRU the interface... I'll try this out & post back....

abatson · ‎05-21-2015

The recommendation to use the control-plane method worked! I'll be marking Vibhor Amrodia's suggestion as the 'correct response'. But first, question: If I have a bunch of laptops with the Cisco AnyConnect Secure Mobility Client v3.0. Can I also install Cisco AnyConnect 2.5 client on the same laptops? Will the clients work properly & co-exist? or do I need to find a way to add a new Connection Profile to the Mobility Client, for my new VPN? Thanks again!

Vibhor Amrodia · ‎05-21-2015

Hi,

If you try to connect to the ASA device suing the Any connect 2.5 , it will try to upgrade the client automatically.

Thanks and Regards,

Vibhor Amrodia

abatson · ‎05-22-2015

I have the AnyConnect 2.5 image in the ASA. The laptop I'm using to connect for the first time, already has AnyConnect SecureMobility 3.0 on it. Can I run the installer for AnyConnect 2.5 on a laptop that already has AnyConnect SecureMobility 3.0 on it?

What I want to avoid is destroying the configuration of the SecureMobility client so I can't connect to my corporate VPN anymore.

AnyConnect 2.5 client attaches to my ASA
AnyConnect SecureMobility 3.0 attaches to my corporate VPN Concentrator.