Yes you can apply an access list to the connection using DAP to block particular ips and ports but you need to create 2 separate ACLs one with the deny statements and other one with the permit statement other wise the ACL wont be applied to the connection you can also run the debug "debug dap trace 200" to make sure that you're hitting the correct DAP that you configured when you connect.
Regards, please rate.
I created a policy in Remote Access VPN > Dynamic Access Policies, I changed options:
Selection Criteria: User has ALL of the following AAA Atributes values ...
tabs: Access Method for AnyConnect Client and AnyConnect for Use AnyConnectProfile setting.
Without any changes in other places it works, I checked this using Test Dynamic Access Policies...
Now I'd like to block RDP port, how can I do that and where?
In the DAP that you configured there is an option that says Network Access Filter and you can apply an access list there you configured one with your deny statements:
access-list noaccess extended deny tcp x.x.x.x 255.255.255.0 y.y.y.y 255.255.255.255 eq 3389
x.x.x.x = anyconnect pool
y.y.y.y = destination server or ip
Another one with permit any any to allow the rest of the traffic
access-list access extended permit ip any any
and apply both ACLs under Network Access Filter when the connection hit that DAP the ACL will be assigned to the connection the denys will automatically be placed on top.
thank you for the answer, now I know what to do.
I have one more question, a little bit off topic, I noticed you are Cisco Employee,
what is the "Host Scan Image" and where can I find and download it, maybe this feature require some special licence, could you give me some information?
Yes you require an Apex license "premium"
You can check this link about hostscan features, download link, others...