Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5716
Views
3
Helpful
6
Replies

How to restrict Cisco anyconnect VPN user to access specific IP range?

techgeek77
Level 1
Level 1

‎09-27-2021 09:38 AM

Hi all,

 

Is there a way to restrict cisco anyconnect vpn user to access specific network IP range?

Currently existing user connect vpn with cisco anyconnect and we only have one public IP dedicated for this purposes.

 

user enter AD password and ID will then be able to established the connections.

 

How can I configure cisco anyconnect VPN profile to access specific network segment?

 

Thanks.

Labels:
6 Replies 6

CiscoPurpleBelt
Level 6
Level 6
In response to Rob Ingram

‎07-10-2023 10:22 AM

ACL on FW must allow the laptop/PC public IP on the VPN enabled interface as well as rules allowing the assigned VPN pool IPs to internal resources/IPs correct?

0 Helpful

Rob Ingram
VIP
VIP
In response to CiscoPurpleBelt

‎07-10-2023 01:17 PM

@CiscoPurpleBelt in this context the VPN filter would control traffic "through" the ASA, so anyconnect VPN user traffic but not traffic from the public IP address used to establish the VPN tunnel. You can also control VPN "through" traffic using an interface ACL assuming the command "no sysopt connection permit-vpn" is configured.

Controlling traffic from the public IP address to restrict connections to establish the VPN can be controlled using a control-plane ACL, this is not the normal interface ACL used for "through" traffic. A control-plane ACL is rarely used tbh.

0 Helpful

ajc
Level 7
Level 7
In response to Rob Ingram

‎10-20-2023 06:16 AM - edited ‎10-20-2023 06:19 AM

Hi Rob,

That's exactly what I am looking for, only allowing an specific public IP range from initiating Anyconnect/VPN sessions. Do you have by any chance an example how to configure that on ASA? thanks

I found the following link but wondering if the deny access-list at the bottom is required because it looks like the implicit deny is not there for control-plane ACL.

https://community.cisco.com/t5/network-security/configuring-control-plane-acl-on-asa/td-p/1968194

 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to ajc

‎10-20-2023 06:32 AM - edited ‎10-20-2023 06:46 AM

@ajc example https://integratingit.wordpress.com/2021/06/26/ftd-control-plane-acl/ for FTD with explaination and screenshots, it's the same CLI syntax for the ASA.

ASA syntax, just append control-plane to the end of the ACL.

access-list CPLANE deny ip host 2.2.2.1 any
access-group CPLANE in interface OUTSIDE control-plane

Correct, the CPLANE ACL does not behave the same as an interface ACL, there is no implicit deny at the end of a set of management rules for an interface. Instead, any connection that does not match a management access rule is then evaluated by regular access control rules. 

 

 

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎09-27-2021 09:48 AM

You mean when the user connected, you like to allow only Certain IP address in the Local Area network ?

 

then you need to create an ACL source VPN IP range, Destination where you like to give acccess and deny rest.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents