cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1642
Views
0
Helpful
7
Replies
Highlighted
Frequent Contributor

Restricting Anyconnect Tunnel Group from specific External IP/s

Not sure if this is possible...

 

I have a tunnel group and the relevant group policy setup for an anyconnect group. Also have split tunnel and vpn-filter ACL created to lock down access to required services.

User has been created and locked down to that tunnel group.

This all works fine as expected and how I want.

 

Is there a way however to allow only a specific external IP to access that specific Tunnel Group? I think not from my own research. Is there a better way to achieve the above and the External IP restriction?

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

Not possible AFAIK. You can only do an all or nothing block using control-plane ACL. 

 

Is there some other identifying characteristic apart from IP address? Maybe you could use DAP to block the attempt post authentication. 

View solution in original post

7 REPLIES 7
Highlighted

Hi @GRANT3779

 

 I think it is possible if you know the IP. You can try something like:

 

ciscoasa(config)# access-list FILTER-VPN deny udp "target Host" "Firewall IP"   eq 500

ciscoasa(config)# access-list FILTER-VPN permit ip any any

ciscoasa(config)# access-group FILTER-VPN in interface outside control-plane

 

Not sure about your firewall version.

 

-If I helped you somehow, please, rate it as useful.-

Highlighted

Hi Flavio,

 

I think my Title was misleading now I read it again. What I am looking for is to allow only certain Public IPs to access a specific tunnel group.

I have many other tunnel groups, but for one of these I would like only a specific range of Public IPs to be able to access it.

 

 

Highlighted

The idea remains the same. The thing is, IPSEC traffic is sent to the firewall´s control plane so you wont block with regular ACL, so you need to use those ACL informed above. What you need to do is block accordingly.

 

 

 

-If I helped you somehow, please, rate it as useful.-

Highlighted

Not possible AFAIK. You can only do an all or nothing block using control-plane ACL. 

 

Is there some other identifying characteristic apart from IP address? Maybe you could use DAP to block the attempt post authentication. 

View solution in original post

Highlighted

Hi, 

@Rahul Govindan this is what I did think when reading further on the control plane ACL. I will see what other options we have.

Thanks both for the feedback.

Highlighted

Team - Please allow me to resurect this old post, can someone please let me know how to lock down a local user to a specific tunnel-group? Any feedback is appreciated.

Highlighted

There are different way's to accomplish this... You can use DAP (dynamic access policy) to create specific Group-Policy for a username.


Alternatively you can use Tunnel-Group Lock. I have seen tunnel-group lock option on the ASA (using ASDM) but I have never used that flavor, instead I use it on our ACS server which is acting as the AAA server for authentication. The policies on the ACS box make sure the user account can only connect to the tunnel-group they are part of on the ACS box.

Content for Community-Ad