Solved: Re: Anyconnect filtering?

CiscoBrownBelt · ‎07-10-2023

Is let's say creating an ACL (permitting public IPs of where someone with a laptop Anyconect client to attempt to connect to FW) and applying to the interface of the FW Anyconnect is enabled on better way to try and keep anyone from just trying to establish connection and download the client? I know its not really scalable and course would still implement authentication but just wondering how anyone is prevented from establishing some type of connection to the FW to try and establish Anyconnect? I notice on some docs an outside ACL like this is not applied for Anyconnect (SSL) let's say.

MHM Cisco World · ‎07-10-2023

ACL filter which IP? the anyconnect use public ip which is always different from host to host, how you can know which public IP need to add to ACL?
that why there is nothing prevent public IP host to connect to FW using port 443.

and as I mention here come your Auth, it can less secure using PSK or more secure using Cert & PSK

View solution in original post

MHM Cisco World · ‎07-10-2023

sorry can you more elaborate.

thanks.

CiscoBrownBelt · ‎07-10-2023

Ok basically do you need an ACL applied to the interface (let's say Outside interface where webvpn if an ASA or Anyconnect is allowed) allowing the public IP of the remote laptop that will try and open up an Anyconnect connection to the FW? If not, isn't any remote laptop able to try and connect to attempt to open an Anyconnect connection?

MHM Cisco World · ‎07-10-2023

Ok basically do you need an ACL applied to the interface (let's say Outside interface where webvpn if an ASA or Anyconnect is allowed) allowing the public IP of the remote laptop that will try and open up an Anyconnect connection to the FW?
If not, isn't any remote laptop able to try and connect to attempt to open an Anyconnect connection? Yes it any public IP remote laptop will TRY to anyconnect to FW but here come the username/password and for more secure you can use Cert and PSK auth.

CiscoBrownBelt · ‎07-10-2023

For Anyconnect, is it generally common to not create the ACL for that interface (course ACLs to actually travers from External are still in place)?

MHM Cisco World · ‎07-10-2023

ACL filter which IP? the anyconnect use public ip which is always different from host to host, how you can know which public IP need to add to ACL?
that why there is nothing prevent public IP host to connect to FW using port 443.

and as I mention here come your Auth, it can less secure using PSK or more secure using Cert & PSK

CiscoBrownBelt · ‎07-10-2023

ACL for the remote laptop and/or user's home public IP would be what I was referring to (to lock down more if generally only allowing lets say few users to VPN from static home IP).

CiscoBrownBelt · ‎07-10-2023

Also, the IPs assigned to the remote Anyconnect laptop/client still need corresponding ACL to allow them to whatever internal resources behind the FW in the network correct?

MHM Cisco World · ‎07-10-2023

ASA have two behave here
1- with sysop connection permit-vpn
this allow anyconnect user to access all subnet in FW
2- without sysop connection permit-vpn
here you need ACL to allow anyconnect host to access subnet

CiscoBrownBelt · ‎07-10-2023

Awesome thanks!

Anyconnect filtering?

【原创】Firepower-URL Filtering部署-详

Firepower System: URL Filtering 動作概要と設定確認

Mobility Express でのLocal MAC Filtering について

AnyConnect MTU

Firepower System: 固定 URLの URL filtering の設定例