06-02-2009 02:37 AM - edited 02-21-2020 04:15 PM
Hi all,
We have recently setup a Cisco ASA 5520 to provide a clientless SSL VPN via the web portal for our staff.
My question is, how do i restrict access to the webportal to certain IP addresses/ranges?
Basically, the clientless SSL VPN is enabled on both the inside and outside interfaces.
With the outside interface, we would like anyone from any IP to be able to access the portal. From the inside interface, we would only like members of a certain subnet to be able to log onto the portal, or even get access to it. This is to stop out limited SSL licenses from being tied up by people using the system internally.
My current understanding is that the VPN traffic bypasses the interface ACLs. is there anyway for me to get the SSL connections coming into the inside interface to be subject to these ACLs?
Any help much appreciated,
Many thanks
JOnathan
06-02-2009 08:33 AM
You could achieve this using control plane policing.
access-list cplane permit tcp host 1.1.1.1 host 2.2.2.2 eq 443
access-list cplane deny tcp any host 2.2.2.2 eq 443
access-group cplane in interface inside control-plane
04-08-2015 10:39 AM
We tried this to limit the IP ranges of who can access the ASA Portal page but even at the Control Plane level it won't limit the https access on the outside interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide