Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
635
Views
3
Helpful
9
Replies

Stop Anyconnect access from any devices

mangwendeelijah
Level 1
Level 1

‎03-28-2023 06:50 AM

I implemented anyconnect VPN in our environment, my problem now is thatone can connect from any device even home computers and access our RDPs etc. Any suggestions on how I can only allow devices from within our company? We also use Amazon Workspace

Thanks in advance

Labels:
0 Helpful
9 Replies 9

Flavio Miranda
VIP
VIP

‎03-28-2023 06:55 AM

Hi

 When you implement VPN tunnels, you need to permit or deny which traffic will run inside the tunnel. There will be ACL for that.

there´s something more called split tunnel where you can define which traffic you willl keep inside the tunnel and which one you will let out the tunnel.

0 Helpful

mangwendeelijah
Level 1
Level 1
In response to Flavio Miranda

‎03-28-2023 07:21 AM

Hi Flavio

Thank you , I did the split tunneling and define traffic, only issue is we can connect from our anyconnect from any device or any workspace so long there is anycoonet you can establish the vpn connection and trying to stop that

access-list AnyConnect_SplitTnl; 1 elements; name hash: 0x69cf432b
access-list AnyConnect_SplitTnl line 1 standard permit 10.20.80.0 255.255.255.0 (hitcnt=0) 0xd086c2ff

0 Helpful

Octavian Szolga
Level 4
Level 4
In response to mangwendeelijah

‎03-28-2023 07:40 AM - edited ‎03-28-2023 07:41 AM

Hi,

The only option you have is to apply an inbound ACL on the router in front of the ASA and control which IPs are allowed to connect TCP and UDP 443 to the ASA outside IP address.

Another option would be to apply a control-plane ACL on the ASA outside interface and statically define which IPs are allowed to connect to it.

 

BR,

Octavian

0 Helpful

mangwendeelijah
Level 1
Level 1
In response to Octavian Szolga

‎03-28-2023 08:52 AM

Hi OS

 

I tried the control plane, it was blocking the site to site vpn traffic, i allowed the site to site through control plane but it dint work

0 Helpful

Flavio Miranda
VIP
VIP
In response to mangwendeelijah

‎03-28-2023 07:53 AM

You are saying that if a device has not anyconnect you can not control via VPN ? This might be routing on the Firewall or ACL on the firewall. The traffic will come through the tunnel will be open by firewall and dropped on the local network.

The firewall needs to have route and the Core or other layer3 device must have route to return the traffic to firewall.

 

0 Helpful

Rob Ingram
VIP
VIP

‎03-28-2023 07:08 AM

@mangwendeelijah if you don't have a PKI environment and cannot distribute certificates to corporate owned assets, you could use Dynamic Access Policy (DAP). DAP can check the endpoint connecting to the VPN to determine if joined to your AD domain and subsuquently permit access for corporate devices and deny access for personal devices.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/cluster/ftd_dap_usecases.html

 

mangwendeelijah
Level 1
Level 1
In response to Rob Ingram

‎03-29-2023 01:20 AM

Thank you Rob I will try it 

0 Helpful
Customers Also Viewed These Support Documents