03-27-2019 09:29 PM
Is there a function in ISE that I can create conditions to allow/deny connecting clients to Anyconnect based on their IP?
Example is I want to block certain IP range to be not allowed to connect to our Anyconnect VPN - using ISE as our radius server?
03-28-2019 05:33 AM - edited 03-28-2019 05:48 AM
removed after re-reading topic
03-28-2019 06:24 AM
Hi,
You can create an inbound ACL and attach it to the ASA outside interface denying the IP ranges you want to Dst any eq tcp and udp 443.
Try this and give us feedback, it may not work because normally you need to enable the below option:
bypass interface access-list for inbound VPN sessions (in ASDM)
sysopt connection permit-vpn (via cli).
Please vote if helpful
03-28-2019 09:26 AM
Hi,
You could use the RADIUS value "Calling-Station-ID" in an ISE Authorization rule to permit/deny access.
As previously suggested you could also create an ACL on the ASA, this must be bound to the outside interface with the option control-plane appended. This is not the same ACL you would use for controlling traffic through the ASA.
E.g:-
access-group ALL_EXCEPT in interface OUTSIDE control-plane
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide