Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4734
Views
0
Helpful
6
Replies

use access rules on AnyConnect ports?

Go to solution
alexanderwichers
Level 1
Level 1

‎03-18-2011 01:56 PM - edited ‎03-11-2019 01:09 PM

Hi,

I'm not a cisco expert so I hope to find one here! And I'm running ASA 8.0(4) on a 5510 using two ethernet ports where one is incoming and the other is used for outgoing traffic.

My problem is really simple; I would like to block the AnyConnect port (443 TCP & UDP) using some of type of access rule. It seems the access rules do not apply to the VPN ports..

How can I accomplish this?

Thanks in advance!

Alexander

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to alexanderwichers

‎03-22-2011 03:18 PM

I am still not clear on what you need. First you mentioned you needed to allow access from outside to inside and now you said that it is from outside to the WAN port. If this is the case then it looks like your ASA is you VPN server and that your clients connect to the outside IP of the ASA using Anyconnect, correct?

Unfortunatly if you enable webvpn (anyconnect) on the interface it allows any IP to get to that IP.

There is a method that you can try in order to filter traffic to the interface.

Here is an example that could help

access-l outside_interface permit tcp host interface outside

access-g outside_interface in interface outside control-plane

On the ACL you allow only the desired IPs and desired traffic to the interface and then apply the access-group on that interface.

I haven't used this to filter VPN traffic but it could work. I suggest you to test it off hours so that it doesn't affect any services.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5

‎03-18-2011 02:08 PM

you want to block port 443 from reaching your ASA or you want to block thi port when flowing through the ASA? i.e. from inside to outside or from outside to inside

0 Helpful

Go to solution
alexanderwichers
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎03-18-2011 05:19 PM

Hi Paul, I want to block port 443 from outside to inside. In other words; I would like some IPs to have access but by default I would like to deny access. I hope you have an answer..

0 Helpful

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to alexanderwichers

‎03-18-2011 05:45 PM

If it is from outside to inside i can assume you have at least a static nat translating a public ip to a private ip, right?

If that is the case you can filter based on access list specifying the source, destination and port 443 that you want to allow everything else gets blocked.

I hope this helps

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
alexanderwichers
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎03-22-2011 06:22 AM

>If it is from outside to inside i can assume you have at least a static nat translating a public ip to a private ip, right?

I enabled AnyConnect VPN client access on the WAN port, so I had no static nat.

Are you telling me I should enable the AnyConnect client for the lan interface and add a static rule from wan to lan?

0 Helpful

Go to solution
PAUL GILBERT ARIAS
Level 5
Level 5
In response to alexanderwichers

‎03-22-2011 03:18 PM

I am still not clear on what you need. First you mentioned you needed to allow access from outside to inside and now you said that it is from outside to the WAN port. If this is the case then it looks like your ASA is you VPN server and that your clients connect to the outside IP of the ASA using Anyconnect, correct?

Unfortunatly if you enable webvpn (anyconnect) on the interface it allows any IP to get to that IP.

There is a method that you can try in order to filter traffic to the interface.

Here is an example that could help

access-l outside_interface permit tcp host interface outside

access-g outside_interface in interface outside control-plane

On the ACL you allow only the desired IPs and desired traffic to the interface and then apply the access-group on that interface.

I haven't used this to filter VPN traffic but it could work. I suggest you to test it off hours so that it doesn't affect any services.

0 Helpful

Go to solution
alexanderwichers
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎03-23-2011 02:39 AM

Hi Paul!

> First you mentioned you needed to allow access from outside to inside and now you said that it is from outside to the WAN port.

Sorry for the confusion and mixing up these terms, It's all new to me.. For me this is the same thing, but now I see the distinction in what you mean. Indeed; I meant traffic from outside to the WAN port.

> your ASA is your VPN server and that your clients connect to the outside IP of the ASA using Anyconnect, correct?

This is correct.

> Unfortunatly if you enable webvpn (anyconnect) on the interface it allows any IP to get to that IP.

Ok, clear.

> On the ACL you allow only the desired IPs and desired traffic to the interface and then apply the access-group on that interface.

I haven't used this to filter VPN traffic but it could work. I suggest you to test it off hours so that it doesn't affect any services.

I will, thank you for your help!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card