I am little bit bothered about this ACL..

Hope it will not impact to normal traffic or VPN traffic.. and stopped the anyconnect hack attempts.

I am looking for the config that will drop all traffic to all services on the firewalls outside interface – including all VPN / anyconnect traffic – if its in a denied object-group it will get dropped to the outside and AnyConnect.

What is your opinion on the below two solution

Can we also shun the ip’s manually to block them accessing ASA, as per below link

Ref link: https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113685-asa-threat-detection.html#anc0

what about botnet traffic

Kindly advise.

Best Regards

Anil Singh

The control-plane ACL would block/permit traffic "to" the ASA itself, so yes it will control VPN (anyconnect) traffic, was that not your intention?

Normal traffic, which is traffic "through" the ASA, such as outbound internet acess from inside hosts will not be affected by the control-plane ACL. A normal interface or global ACL would control traffic "through" the ASA, inbound or outbound.

Yes.. that was my intention.. thanks for clarifying that..

Just want to understand, how shun the IP manually or botnet traffic could be used here..

Best Regard

Anil Singh 

It's used to stop attacks before they reach the internal network infrastructure....so traffic "through" the ASA, not "to" the ASA which is a VPN. So the control-plane ACL would meet your requirements.

Another option is put an ACL inbound on the upstream router blocking the malicous IP addresses and permit all other.

so if by mistake, legitimate IP will be added in CPLANE ACL, then it cannot be able to established VPN tunnet via Annyconnect.. correct..

so this way we can also confirm, that our CPLANE ACL are working perfectly..

I appreciate your response, Thanks very much!!