Hello,

We have a Cisco ASA 5516 running 9.16(1). With the vulnerability that came out last week (https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-webvpn-z5xP8EUB#vp), we want to restrict Anyconnect access to the firewall based on IP-adres. There are multiple reasons why we don't upgrade the firmware to the lastest version.

I did some research and found out that it is possible to add an ACL on the control-plane. This should affect access to the ASA itself. I am not sure how to configure the ACL itself, should it be something like this:

hosts that need to be allowed are: x.x.x.x and y.y.y.y

access-list OUTSIDE_MGMT_IN extended permit tcp host x.x.x.x interface outside eq 443
access-list OUTSIDE_MGMT_IN extended permit tcp host y.y.y.y interface outside eq 443
access-list OUTSIDE_MGMT_IN extended deny tcp any interface outside eq 443
access-list OUTSIDE_MGMT_IN extended permit ip any any

And doesn't this affect the management access rules that are configured in ASDM showed down below: