Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1150
Views
0
Helpful
6
Replies

Anyconnect SSL VPN Client to Amazon Workspaces

mangwendeelijah
Level 1
Level 1

‎03-01-2023 09:24 AM

I have anyconnect vpn, all working fine, I want to make sure its accessible only from Amazon Workspaces unlike right now we connect from any source, is there a way to block and only allow connection rom the workspace? I tried may options but no solution

Labels:
0 Helpful
6 Replies 6

Rob Ingram
VIP
VIP

‎03-01-2023 10:20 AM

@mangwendeelijah I assume you mean you will install the anyconnect VPN client in the Amazon workspace VDI?

If so you could use a control plane ACL on the FTD or ASA, permit traffic from the Amazon IP address ranges and deny all traffic. The control-plane ACL controls traffic to the ASA or FTD itself, this is not the same as the ACL/ACP that controls traffic through the firewall.

Example for FTD https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/

 

0 Helpful

mangwendeelijah
Level 1
Level 1
In response to Rob Ingram

‎03-01-2023 11:48 AM

Thanks Rob, yes I installed any connect in workspace and working fine just want to block any connections outside workspace , 

0 Helpful

mangwendeelijah
Level 1
Level 1
In response to Rob Ingram

‎03-01-2023 11:55 AM

I will try to find out how it’s done on ASA through the control plane solution

0 Helpful

Rob Ingram
VIP
VIP
In response to mangwendeelijah

‎03-01-2023 12:00 PM

@mangwendeelijah it's the same principle as the FTD example provided. Here is a basic example that will work on the ASA:

access-list CPLANE permit ip x.x.x.x 255.255.255.0 any
access-list CPLANE deny ip any any
access-list CPLANE in interface OUTSIDE control-plane

Just define an ACL permitting the traffic from Amazon to the ASA, then deny all other traffic. Be careful, if you are running Site-to-Site VPNs on the same ASA you will also need to permit this traffic.

Then assign the ACL inbound to the outside interface and ensure you append control-plane to the end of the syntax.

0 Helpful

mangwendeelijah
Level 1
Level 1
In response to Rob Ingram

‎03-01-2023 12:43 PM

Thanks Rob will update with results . Much appreciated 

0 Helpful

mangwendeelijah
Level 1
Level 1
In response to Rob Ingram

‎03-13-2023 09:28 AM

hi Rob

 

I configured this,but as you mentioned before its blocking our site to site vpn yet i permitted the traffic.

access-list CPLANE permit ip 18.142.130.0 255.255.255.0 any
access-list CPLANE extended permit ip 10.10.40.0 255.255.255.0 host 185.166.60.130
access-list CPLANE extended permit ip 10.4.60.0 255.255.255.0 host 185.166.64.130
access-list CPLANE deny ip any any
access-list CPLANE in interface External-LINK control-plane

 

 

0 Helpful
Customers Also Viewed These Support Documents