cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
659
Views
0
Helpful
1
Replies

Allow to access ssl vpn just from specific network

Tomas Fidler
Level 1
Level 1

Hi,

I want to limit from where users are able to access our ssl vpn (anyconnect VPN). So I wana to specify "allowed remote IP address of the client".

For example to allow "just from Europe" access (suppose I know IPs used in Europe).

Does somebody know how to do that?

For us it is considered unsecure to allow to open anyconnect VPN just from everywhere.

1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

Hi Tomas,

you can do this in several ways but the easiest is probably to configure a control-plane acl on the ASA. This limits the traffic to the box (as opposed to the interfce ACLs which only filter traffic through the box).

Can't find a good reference right now but if memory serves me well it would be something like

access-list FOO permit tcp 10.0.0.0 255.0.0.0 interface outside 443

access-group FOO in interface outside control-plane

note that if you want to allow IPsec, ping, ssh, ASDM etc from the outside then you will have to explicitly allow that in this ACL as well

hth

Herbert