Solved: how I can Specific just 1 External IP to to connect by AnyConnect

W-ALI · ‎08-28-2021

Hi All,
My F.W Device type: ASA 5516

ASA version: 9.12

ASDM Version:7.13

Already I created Many connection profiles to connect by AnyConnect from any External IP,

now I want to create another new Connection Profile and specific for him to connect just from 1 Specific External source IP ,

if that possible or there's any solution?

Thanks in Advance

Marvin Rhoads · ‎08-28-2021

You can use hostscan with a dynamic access policy to check attributes on an endpoint as a condition of allowing remote access VPN. Note using hostscan requires AnyConnect Apex licensing. However, endpoint IP address is not among the attributes you can add. You can use MAC address if that helps. If you have Cisco ISE, you could build an Authorization policy there checking for the endpoint IP address.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#anc16

https://packetswitch.co.uk/cisco-asa-dap/

View solution in original post

Marvin Rhoads · ‎08-28-2021

You can use hostscan with a dynamic access policy to check attributes on an endpoint as a condition of allowing remote access VPN. Note using hostscan requires AnyConnect Apex licensing. However, endpoint IP address is not among the attributes you can add. You can use MAC address if that helps. If you have Cisco ISE, you could build an Authorization policy there checking for the endpoint IP address.

https://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#anc16

https://packetswitch.co.uk/cisco-asa-dap/

W-ALI · ‎08-29-2021

Thanks Marvin for your fast response , really appreciated

00u1m0m575SC6QDef5d7 · ‎08-29-2021

I want to create another new Connection Profile and specific for him to connect just from 1 Specific External source IP ,