Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1624
Views
0
Helpful
4
Replies

Filtering Based on AnyConnect Client Public IP

j.a.m.e.s
Level 4
Level 4

‎08-17-2015 02:47 PM - edited ‎02-21-2020 08:24 PM

Dear All,

Does anyone know if the ASA allows a filter list or similar control to be applied based on the client's public IP address?

I haven't stumbled across anything obvious that would do this, but perhaps disabling "sysopt connection permit-vpn" and applying a some filtering of IKE and 443 via the interface ACL would prevent connections from unwanted IP addresses?

Regards

James.

 

 

Labels:
0 Helpful
4 Replies 4

j.a.m.e.s
Level 4
Level 4

‎08-26-2015 03:11 AM

Looking at the DAP configuration guide, there doesn't appear to be any way to get at the endpoint's IP address:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/asdm75/vpn/asdm-75-vpn-config/vpn-asdm-dap.html#ID-2184-00000778

I'm surprised as you would think Cisco could have allowed the ASA to get at the IP address used by the client to establish the VPN.

Is anyone else interested in this feature? If so, I will consider making a feature request.

0 Helpful

pjain2
Cisco Employee
Cisco Employee

‎09-03-2015 08:49 AM

Hey James,

No the ASA will accept all traffic coming from the clients. you can try disabling the sysopt and allow the specific traffic from the public ip's of the clients in the interface access-list.

 

Regards

0 Helpful

j.a.m.e.s
Level 4
Level 4
In response to pjain2

‎11-05-2015 07:14 AM

Thanks for the suggestion. The problem with an ACL and disabling the sysopt is that it's too blunt an instrument.

I should have been more clear initially on the actual requirement, which is to retrict the ability for a certain users to gain VPN access, depending on their location. Obviously, it would be great if we could get the AnyConnect client to report a GPS location, but just getting back the public IP and making a decision on whether to apply a certain filter list would be an easier option.

I don't think this is possible today with the ASA, even if hostscan and the ISE posture were installed.

Does anyone else think this would be a useful feature?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to j.a.m.e.s

‎11-05-2015 09:36 PM

James,

I understand the question but it seems to be a bit contrary to the whole idea of allowing secure remote access from anywhere. Endpoint public IP may or may not accurately reflect a given location. For instance, I have been at some hotels where my public IP reflects a location half a country away (albeit still in the US). We typically rely on user credentials and, where higher security requirements exist, endpoint characteristics such as its compliance with other requirements such as host-local characteristics. When we really want to restrict remote users to a given location, we use site-site VPN. 

0 Helpful
Customers Also Viewed These Support Documents