Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1024
Views
4
Helpful
12
Replies

Cisco ASA 5506, Trying to limit access to network using Anyconnect

Go to solution
kcousino123
Level 1
Level 1

‎05-30-2024 10:26 AM

I am implementing Anyconnect SSL client VPN and I only want 2 users to be able to access the network on this connection.  How can I restrict that access?  I have found different thoughts on this but nothing that seems to work.  Please help.

Thanks,

Ken

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to kcousino123

‎06-01-2024 04:33 AM

NOW since you try something try below 
1- change the WebVPN to be 8443 not 443 
2- run ACL control-plane 
access-list extended WebVPN permit tcp host < > any eq 8443 <<- host public IP you want to allow 
access-list extended WebVPN deny tcp any any eq 8443
access-list extended WebVPN deny tcp any any eq 443 <<- this can also block the ASDM or any HTTPS mgmt to FW

that it the Control-plane ACL dont have implicit deny in end so you dont need permit ip any any 

MHM

View solution in original post

12 Replies 12

Go to solution
Rob Ingram
VIP
VIP

‎05-30-2024 10:33 AM

@kcousino123

A couple of options, you can configure "vpn-simultaneous-logins 2" under the group policy to restrict the number of connections.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa914/configuration/vpn/asa-914-vpn-config/vpn-groups.html?bookSearch=true

Example:

hostname(config)# group-policy <group policy name> attributes
hostname(config-group-policy)# vpn-simultaneous-logins 2

If the ASA is unlicensed you get 2 free RAVPN licenses, so you may not need to do anything.

Another option is to configure a VPN pool with only 2 IP addresses, that will achieve the samething as the other options.

0 Helpful

Go to solution
kcousino123
Level 1
Level 1
In response to Rob Ingram

‎05-30-2024 10:57 AM

I am trying to stop attempts to connect by all except 2 or 3 users.

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎05-30-2024 10:40 AM

What you try and not work?

MHM

0 Helpful

Go to solution
kcousino123
Level 1
Level 1
In response to MHM Cisco World

‎05-30-2024 10:59 AM

I am using a nonstandard port and I tried blocking traffic with an acl and thought I applied it to the control plane.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to kcousino123

‎05-30-2024 11:01 AM

All except two user that have correct password?

How other connect with wrong password?

MHM

0 Helpful

Go to solution
kcousino123
Level 1
Level 1
In response to MHM Cisco World

‎05-30-2024 11:10 AM

I am wanting to stop people from even getting through to have the option to try to log in.

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to kcousino123

‎05-30-2024 07:36 PM

Stopping successful logins is easy. Stopping ATTEMPTS is much more difficult. Yes, you can build (and continually update) control-plane ACLs but that will make your full-time job keeping up with them.

Two other methods are:

1. Use an unpublished URL for the desired connection profile. For the default profile, point it to a dummy of blackhole AAA server. You will still get attempts but they won't bombard your legitimate authentication source.

2. If you have a PKI, issue certificates to the permitted users and make certificate-based authentication the only allowed method. This will prevent random scans from ever even trying to authenticate since they will be offering random usernames and passwords.

No matter what method you use, inbound traffic will still be seen (and blocked) by the firewall. That is the nature of being connected to the modern Internet.

Go to solution
kcousino123
Level 1
Level 1
In response to Marvin Rhoads

‎05-31-2024 11:36 AM

Marvin,

For the control-plane ACL, if I block everything except the 2 or 3 IPs that I want to allow, isn't that less work?

For #1, I don't know how you point it to a dummy of blackhole AAA server.  

For #2, makes sense, but since I have never done that I now have some research to do.  

Thanks for the help.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to kcousino123

‎06-01-2024 04:33 AM

NOW since you try something try below 
1- change the WebVPN to be 8443 not 443 
2- run ACL control-plane 
access-list extended WebVPN permit tcp host < > any eq 8443 <<- host public IP you want to allow 
access-list extended WebVPN deny tcp any any eq 8443
access-list extended WebVPN deny tcp any any eq 443 <<- this can also block the ASDM or any HTTPS mgmt to FW

that it the Control-plane ACL dont have implicit deny in end so you dont need permit ip any any 

MHM

Go to solution
kcousino123
Level 1
Level 1
In response to MHM Cisco World

‎06-04-2024 11:54 AM

Do you still need to use an Access-group for this?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to kcousino123

‎06-04-2024 12:12 PM

Yes you need access group with keyword control plane

Note:- no need to apply   below line except case you still see some host try access asa via this port 

tcp any any eq 443 <<- this can also block the ASDM or any HTTPS mgmt to FW

MHM

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card