Solved: Restrict access to https/anyconnect based on IP

Scott Whitney · ‎11-11-2019

Im trying to restrict access through my ASA from several countries. When I test the ACL using my IP I lose ping ability and access to resources as I should. However I can still ping the outside interface and initiate an anyconnect connection. access-list outside extended deny ip object-group BlockedCountries any <- blocks access to permitted resources but doesnt stop access to the outside interface itself webvpn enable outside anyconnect-essentials anyconnect image disk0:/anyconnect-win-4.7.00136-webdeploy-k9.pkg 1 anyconnect image disk0:/anyconnect-macos-4.7.00136-webdeploy-k9.pkg 2 anyconnect image disk0:/anyconnect-linux64-4.6.03049-webdeploy-k9.pkg 3 anyconnect profiles CPH_profile disk0:/cph_profile.xml anyconnect profiles MsiteVPN disk0:/msitevpn.xml anyconnect profiles Vendors disk0:/vendors.xml anyconnect enable tunnel-group-list enable cache disable is there anyway to evaluate traffic going to this interface itself?

Rob Ingram · ‎11-11-2019

Hi,

A normal ACL will filter traffic through the ASA but not traffic destined to the ASA's interface. You would need to use the "control-plane" syntax when defining the access-group. Example here.

HTH

View solution in original post

Scott Whitney · ‎11-11-2019

Sorry it collapsed my format. let me know if there are any questions

Rob Ingram · ‎11-11-2019

Hi,

A normal ACL will filter traffic through the ASA but not traffic destined to the ASA's interface. You would need to use the "control-plane" syntax when defining the access-group. Example here.

HTH