03-01-2023 09:24 AM
I have anyconnect vpn, all working fine, I want to make sure its accessible only from Amazon Workspaces unlike right now we connect from any source, is there a way to block and only allow connection rom the workspace? I tried may options but no solution
03-01-2023 10:20 AM
@mangwendeelijah I assume you mean you will install the anyconnect VPN client in the Amazon workspace VDI?
If so you could use a control plane ACL on the FTD or ASA, permit traffic from the Amazon IP address ranges and deny all traffic. The control-plane ACL controls traffic to the ASA or FTD itself, this is not the same as the ACL/ACP that controls traffic through the firewall.
Example for FTD https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/
03-01-2023 11:48 AM
Thanks Rob, yes I installed any connect in workspace and working fine just want to block any connections outside workspace ,
03-01-2023 11:55 AM
I will try to find out how it’s done on ASA through the control plane solution
03-01-2023 12:00 PM
@mangwendeelijah it's the same principle as the FTD example provided. Here is a basic example that will work on the ASA:
access-list CPLANE permit ip x.x.x.x 255.255.255.0 any
access-list CPLANE deny ip any any
access-list CPLANE in interface OUTSIDE control-plane
Just define an ACL permitting the traffic from Amazon to the ASA, then deny all other traffic. Be careful, if you are running Site-to-Site VPNs on the same ASA you will also need to permit this traffic.
Then assign the ACL inbound to the outside interface and ensure you append control-plane to the end of the syntax.
03-01-2023 12:43 PM
Thanks Rob will update with results . Much appreciated
03-13-2023 09:28 AM
hi Rob
I configured this,but as you mentioned before its blocking our site to site vpn yet i permitted the traffic.
access-list CPLANE permit ip 18.142.130.0 255.255.255.0 any
access-list CPLANE extended permit ip 10.10.40.0 255.255.255.0 host 185.166.60.130
access-list CPLANE extended permit ip 10.4.60.0 255.255.255.0 host 185.166.64.130
access-list CPLANE deny ip any any
access-list CPLANE in interface External-LINK control-plane
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide