Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
706
Views
4
Helpful
9
Replies

Anyconnect filtering?

Go to solution
CiscoPurpleBelt
Level 6
Level 6

‎07-10-2023 12:03 PM

Is let's say creating an ACL (permitting public IPs of where someone with a laptop Anyconect client to attempt to connect to FW) and applying to the interface of the FW Anyconnect is enabled on better way to try and keep anyone from just trying to establish connection and download the client? I know its not really scalable and course would still implement authentication but just wondering how anyone is prevented from establishing some type of connection to the FW to try and establish Anyconnect? I notice on some docs an outside ACL like this is not applied for Anyconnect (SSL) let's say.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to CiscoPurpleBelt

‎07-10-2023 12:42 PM

ACL filter which IP? the anyconnect  use public ip which is always different from host to host, how you can know which public IP need to add to ACL?
that why there is nothing prevent public IP host to connect to FW using port 443.

and as I mention here come your Auth, it can less secure using PSK or more secure using Cert & PSK

View solution in original post

9 Replies 9

Go to solution
MHM Cisco World
VIP
VIP

‎07-10-2023 12:12 PM

sorry can you more elaborate.

thanks.

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to MHM Cisco World

‎07-10-2023 12:14 PM

Ok basically do you need an ACL applied to the interface (let's say Outside interface where webvpn if an ASA or Anyconnect is allowed) allowing the public IP of the remote laptop that will try and open up an Anyconnect connection to the FW? If not, isn't any remote laptop able to try and connect to attempt to open an Anyconnect connection?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to CiscoPurpleBelt

‎07-10-2023 12:20 PM

Ok basically do you need an ACL applied to the interface (let's say Outside interface where webvpn if an ASA or Anyconnect is allowed) allowing the public IP of the remote laptop that will try and open up an Anyconnect connection to the FW?
If not, isn't any remote laptop able to try and connect to attempt to open an Anyconnect connection? Yes it any public IP remote laptop will TRY to anyconnect to FW but here come the username/password and for more secure you can use Cert and PSK auth. 

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to MHM Cisco World

‎07-10-2023 12:36 PM

For Anyconnect, is it generally common to not create the ACL for that interface (course ACLs to actually travers from External are still in place)?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to CiscoPurpleBelt

‎07-10-2023 12:42 PM

ACL filter which IP? the anyconnect  use public ip which is always different from host to host, how you can know which public IP need to add to ACL?
that why there is nothing prevent public IP host to connect to FW using port 443.

and as I mention here come your Auth, it can less secure using PSK or more secure using Cert & PSK

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to MHM Cisco World

‎07-10-2023 12:45 PM

ACL for the remote laptop and/or user's home public IP would be what I was referring to (to lock down more if generally only allowing lets say few users to VPN from static home IP).

0 Helpful

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to MHM Cisco World

‎07-10-2023 12:42 PM

Also, the IPs assigned to the remote Anyconnect laptop/client still need corresponding ACL to allow them to whatever internal resources behind the FW in the network correct?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to CiscoPurpleBelt

‎07-10-2023 12:50 PM

ASA have two behave here 
1- with sysop connection permit-vpn 
this allow anyconnect user to access all subnet in FW 
2- without sysop connection permit-vpn 
here you need ACL to allow anyconnect host to access subnet 

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to MHM Cisco World

‎07-10-2023 12:54 PM - edited ‎07-10-2023 12:56 PM

Awesome thanks!

0 Helpful
Customers Also Viewed These Support Documents