This would be for traffic through the ASA and not really to the ASA.

sysopt connection permit-vpn

The sysopt connection permit-ipsec command allows all the traffic that enters the security appliance through a VPN tunnel to bypass interface access lists. Group policy and per-user authorization access lists still apply to the traffic. In PIX/ASA 7.1 and later, the sysopt connection permit-ipsec command is changed to sysopt connection permit-vpn. The vpn-filter is applied to post-decrypted traffic after it exits a tunnel and pre-encrypted traffic before it enters a tunnel.

Yes I know, but it is a option none the less

Hello,

Agree, The option to go is the control-plane one.

As far as I am aware that should do it.

Example:

access-list outside-control-plane extended deny tcp host 1..1.1.1 x.x.x.x eq 443 (where x.x.x.x is the Out interface IP)

access-group outside-control-plane in interface outside control-plane

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Check the following link that contains and explanation:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1541842

Note Access  control rules for to-the-box management traffic (defined by such  commands as http, ssh, or telnet) have higher precedence than an access  list applied with the control-plane option. Therefore, such permitted  management traffic will be allowed to come in even if explicitly denied  by the to-the-box access list.

@ jumora - you are correct, however this is only applicable for managment traffic.  To me it sounds like Spagsterj wants to limit IPs that are able to initiate an SSL VPN session.  As PKI will exchange keys before any traffic is sent between the devices, the traffic will be encrypted when the actual connection is made and will therefore bypass the outside interface ACL by default.  So (unless my logic is completely off here) he will need to disable the ACL bypass for it to take effect.

That is the issue, the ASA does not distinguish this if it is SSL VPN or management, I work at TAC and escalated a ticket a couple of days due to this, it is also related to class type management that did not work for SSL traffic but did for SSH.

Believe me I know what I'm talking about.

Hello Marius,

Agree with Juancito "loquillo" in this one as what the customer is trying to accomplish is filter who connects to the Firewall via SSL, not what traffic is allowed to go via the tunnel.

In this case the control-plane option is the suitable option.

Cheers to boh of you.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Hi Julio,

That is my understanding too.  I don't think I mentioned traffic filtering...or did I?   I will have a read through the posts and see. 

Anyway, I am wondering if perhaps the ACL assigned to the control plane is being bypassed due to the encryption, which is why I suggested trying to disable the interface ACL bypass by using the following command:

no sysopt connection permit-vpn

Ok, do you still need assistance?

Julio knows me and please believe me when I correct anyone it´s not to presume it´s because I want them to understand.

Customer to you still need assistance???

Hello,

Has there been any change regarding filtering what source IP address can initiate an SSL connection to the ASA for VPN access?

Bbb

Sent from Cisco Technical Support iPhone App

This appeared to work for me. Persistent SSL VPN connections attempts are now denied from the source IP.