Solved: Re: allow webvpn access from 1 IP address

Miek_G · ‎05-20-2021

Good Day,

I would like to lock my ASA-5506 down to allow WebVPN access only from the remote office. I am thinking I need to apply an access-list to the external interface?

webvpn
enable outside permit 8.8.8.8 255.255.255.252 <-- used google dns as an example

Rob Ingram · ‎05-20-2021

Not quite, there is no "allow" keyword. Just replace 8.8.8.8 with the source IP address you want to permit, all other will be denied.

access-list CPLANE extended permit ip host 8.8.8.8 any
access-list CPLANE extended deny ip any any

access-group CPLANE in interface OUTSIDE control-plane

View solution in original post

Rob Ingram · ‎05-20-2021

@Miek_G

Create a normal access-list and apply a control-plane ACL inbound on the outside interface. E.g.

access-group OUTSIDE_CP in interface OUTSIDE control-plane

Notice the keyword control-plane at the end, this will control traffic destined to the ASA itself.

HTH

Miek_G · ‎05-20-2021

Awesome, thanks you.

Do I just append the IP and mask to the end of it or do I need additional commands

Rob Ingram · ‎05-20-2021

Access list to define the RAVPN you want to permit, then deny the rest.

access-list CPLANE extended permit tcp object-group ALLOWED_RAVPN interface OUTSIDE eq https
access-list CPLANE extended permit udp object-group ALLOWED_RAVPN interface OUTSIDE eq isakmp
access-list CPLANE extended permit udp object-group ALLOWED_RAVPN interface OUTSIDE eq 4500
access-list CPLANE extended permit esp object-group ALLOWED_RAVPN interface OUTSIDE
access-list CPLANE extended deny ip any any

Assign the access-list to the outside interface

access-group CPLANE in interface OUTSIDE control-plane

Miek_G · ‎05-20-2021

I think I have it:

acces-list CPLANE extended permit...

access-list CPLANE extended allow ip 8.8.88 255.255.255.252

access-list CPANE extended deny ip any any

or am I off?

Rob Ingram · ‎05-20-2021

Not quite, there is no "allow" keyword. Just replace 8.8.8.8 with the source IP address you want to permit, all other will be denied.

access-list CPLANE extended permit ip host 8.8.8.8 any
access-list CPLANE extended deny ip any any

access-group CPLANE in interface OUTSIDE control-plane

Miek_G · ‎05-20-2021

thanks Rob.

now to type it in without me making any typos

ggrimm · ‎10-18-2021

I see this is several months old, but I am having the same issue attempting to lock down the WebVPN, but need to lock it down to our office networks. I am testing with my bench unit, but can't get the restriction working. I have:

interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 192.168.30.123 255.255.255.128
!
...
object network BBH-WAN-Fiber
subnet 192.168.30.0 255.255.255.128
object network BBH-WAN-Cable
subnet 172.54.24.0 255.255.255.0
...
access-list CPLANE extended permit ip object BBH-WAN-Fiber any
access-list CPLANE extended permit ip object BBH-WAN-Cable any
access-list CPLANE extended deny ip any any
...
access-group CPLANE in interface outside control-plane