As mentioned, it's the AnyConnect client (in the title).

"What i'm after is a way to restrict access to an AnyConnect authenticated and connected client, on a specific profile, to a list of specific websites (all on the Intranet). Everything else must be blocked."

Do you have a sample configuration that could possibly assist me? I'm new to the ASA world, and haven't touched a PIX in well over 6 years unfortunately.

Any samples would be awesome:)

Here is the sample configuration with vpn-filter:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Hope this helps.

Thanks Jennifer that's pretty much what I have now on my IOS SSL VPN gateway.

I should have been more specific, I actually need to lock it to very specific URL's on devices to avoid people simply dropping off the last few directories of the site, and accessing data they should not be able to see.

I'm trying to work around an existing setup that is not going to be changing anytime soon unfortunately. Is there a way to do these kinds of filters on a per group-policy setup, using regex?

Unfortunately not for AnyConnect client.

The webtype ACL is only supported on Clientless SSL:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/a1.html#wp1599455

Is there a way to do URL matching on regex in conjunction with the vpn-filter command?

Just seems a little backward that by enabling more functionality, it's making it harder to lock down (not your fault I know )

Yes, you can configure that with service-policy.

Here is the sample for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml

The example is configured with permit tcp any any on port 80 and 443, so you might want to restrict that to your AnyConnect traffic flow: tcp

and apply the service policy on the outside interface.

Thanks again, but that won't work either.

I need to find a way of having it so it's only on one policy-group, and not for every VPN user.

I have 3 policy groups, two for external parties to access very specific URL's (both different lists) and a third for staff (no filters required). Applying a service policy to an entire interface will not work as it will restrict every VPN user to the same conditions.

In addition, that example is to *block* websites. The 2 policy groups that need restricting have a defined set of URL's that they are *only* allowed to access, and everything else must be blocked.

I need to restrict several policy groups to very specific sets of URL's, on the same ASA, and deny all other sites (allowing only DNS queries, which is easy to do).

I was under the belief that it was quite easy to do on an ASA (hence my reason for getting one in place of the IOS based VPN end-point) but it's appearing as though it's not a possibility.

How about configuring different pool of addresses for those 2 different policy. Once the vpn pool is different between guest and staff, then you can restrict them accordingly per the unique vpn pool.

The VPN filter will already restrict it to a specific IP Address. The service policy will further restrict it to the URL level. You can create a "match not" regex to allow the configured regex through:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/m.html#wp2118309

Getting more complicated now

Thanks for that. Yes, what seems to be a simple request is becoming stupidly complicated:)

I've just broken up the two 'special' groups to have their own ip pools, so i'll get to work on the vpn acl's and regex's. Time to brush up on my carets and dots

LOL, have fun ...