02-05-2018 07:22 PM - edited 03-12-2019 04:59 AM
I am trying to restrict/deny internal LAN users/networks from being able to connect to the WebVPN and Anyconnect from inside the network. Is there a way to do this? We only want users to be able to connect to WebVPN or Anyconnect when at home or traveling.
Thanks
02-06-2018 02:53 AM
It depends on your setup.
If the users are connected to the inside interface of the ASA that is allowing ssl vpn on the outside interface, then users are not be able to connect to the outside IP of the ASA and thus not be able to connect using anyconnect.
If the users are not behind the anyconnect ASA than a control-plane acl can be used.
ciscoasa(config)# access-list CP-ACL deny tcp <net-to-deny> host <asa-public-ip> eq 443
ciscoasa(config)# access-list CP-ACL permit ip any any
ciscoasa(config)# access-group CP-ACL in interface OUTSIDE control-plane
The tricky part with the control plane acl is that the http command takes precedence:
You can configure access rules that control management traffic destined to the ASA. Access control rules for to-the-box management traffic (defined by such commands as http, ssh, or telnet) have higher precedence than a management access rule applied with the control-plane option. Therefore, such permitted management traffic will be allowed to come in even if explicitly denied by the to-the-box ACL.
https://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/firewall/asa-97-firewall-config/access-rules.html
HTH
Bogdan
02-06-2018 05:11 AM
Bogdan,
Thanks for the reply! The users are connected to the inside interface of the ASA and can access the outside interface of the ASA with AnyConnect and WebVPN. That is what I am trying to deny.
Thanks
Gene
02-06-2018 06:07 AM
Hi Gene,
What IP are the users from inside use to connect to AnyConnect ?
If it's the inside IP, you can simply disable the inside interface in the webvpn:
webvpn
no enable INSIDE
HTH
Bogdan
02-06-2018 06:15 AM
They are using the DNS entry of the IP of the outside interface.
02-06-2018 06:15 AM
They are using the DNS entry of the outside interface IP address
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide