Showing results for 
Search instead for 
Did you mean: 

How to configure AnyConnect ACL's?

I am a little new to Cisco ASA's but we bought two new 5540's to use as a new VPN solution for our company. We want to implement Cisco Anyconnect full client and Clientless based solutions for our end users. I am having problems working with setting up access lists based on groups. I simply want to create access-lists to certain IP's based on groups. I ultimately want to get to the point where we have Dynamic Access Policies that are based on Active Directory Groups allowing access to back end servers based solely on their group membership in AD. But first I need to figure out how to just apply an ACL on a group.   Can anyone please help me with this? Any help would be much appreciated.

Everyone's tags (3)
Cisco Employee

How to configure AnyConnect ACL's?


What would you like ASA to do?

In general we can use vpn-filer ... like this:



Re: How to configure AnyConnect ACL's?

Thanks for your reply....

I would like to have a block all then allow access to certain back end servers. For example: If user signs in and authenticates against AD. I would like to keep it simple at first and just apply an access list to that group. I was told by a few people that the ASA starts a connection with it open to everything and then you have to tell it what to block. I would like to apply an ACL to a group where it just allows access to one application. So I would be a Coplink user for instance and I am allowed to connect back to our Anyconnect VPN. The user signs on and because he is in the Coplink group apply an access list to him to only allow him to 10.105.x.x. Or if someone is in a group called SSL_VPN they would only have access to 10.101.x.x and 10.105.x.x networks.


Well , I have implemented a

Well , I have implemented a similar solution with 2FA , The ASA will look for some string from the AD and apply an ACL created in the VPN filter list.

Haven't implemented this using LDAP but I know it is doable