Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
0
Helpful
5
Replies

Restrict Internal LAN networks from connecting to WebVPN and AnyConnect

gbarden
Level 1
Level 1

‎02-05-2018 07:22 PM - edited ‎03-12-2019 04:59 AM

I am trying to restrict/deny internal LAN users/networks from being able to connect to the WebVPN and Anyconnect from inside the network. Is there a way to do this? We only want users to be able to connect to WebVPN or Anyconnect when at home or traveling.

 

Thanks

Labels:
0 Helpful
5 Replies 5

Bogdan Nita
VIP Alumni
VIP Alumni

‎02-06-2018 02:53 AM

It depends on your setup.

If the users are connected to the inside interface of the ASA that is allowing ssl vpn on the outside interface, then users are not be able to connect to the outside IP of the ASA and thus not be able to connect using anyconnect.

 

If the users are not behind the anyconnect ASA than a control-plane acl can be used.

ciscoasa(config)# access-list CP-ACL deny tcp <net-to-deny> host <asa-public-ip> eq 443
ciscoasa(config)# access-list CP-ACL permit ip any any
ciscoasa(config)# access-group CP-ACL in interface OUTSIDE control-plane

The tricky part with the control plane acl is that the http command takes precedence:

You can configure access rules that control management traffic destined to the ASA. Access control rules for to-the-box management traffic (defined by such commands as http, ssh, or telnet) have higher precedence than a management access rule applied with the control-plane option. Therefore, such permitted management traffic will be allowed to come in even if explicitly denied by the to-the-box ACL.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/firewall/asa-97-firewall-config/access-rules.html

 

HTH

Bogdan

0 Helpful

gbarden
Level 1
Level 1
In response to Bogdan Nita

‎02-06-2018 05:11 AM

Bogdan,

 

Thanks for the reply! The users are connected to the inside interface of the ASA and can access the outside interface of the ASA with AnyConnect and WebVPN. That is what I am trying to deny. 

 

Thanks

 

Gene

0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to gbarden

‎02-06-2018 06:07 AM

Hi Gene,

What IP are the users from inside use to connect to AnyConnect ?

If it's the inside IP, you can simply disable the inside interface in the webvpn:

webvpn
 no enable INSIDE

 

HTH

Bogdan 

0 Helpful

gbarden
Level 1
Level 1
In response to Bogdan Nita

‎02-06-2018 06:15 AM

They are using the DNS entry of the IP of the outside interface.

0 Helpful

gbarden
Level 1
Level 1
In response to Bogdan Nita

‎02-06-2018 06:15 AM

They are using the DNS entry of the outside interface IP address 

0 Helpful
Customers Also Viewed These Support Documents