cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
128
Views
0
Helpful
5
Replies
legacia06747
Beginner

Blocking AnyConnect of Corporate Guest Wifi

We have a Cisco 5520 that has guest SSIDs.  I want to know how to block anyconnect from running on those cisco guest SSIDs.

5 REPLIES 5
marce1000
VIP Advisor

 

 - Both items are unrelated anyconnect is an app versus , ssid-connection is 'quasi layer2',  it is the same as asking how to block anyconnect when on lan.

 M.

Cisco 5520 wireless controllers allows you to block apps and protocols using AVC lists...are you telling me that there isn’t a way to do so?

AnyConnect is using either SSL or IKE for the connection, so you could block those (please note, by blocking SSL you also block all HTTPS websites...). I assume this will not make you happy. 

Regarding AnyConnect, do you want to block the VPN function, or do you mean the Network Access Module, or any other module?

Do you want to generally block VPN connections, or only the protocols supported by AnyConnect?

If it's just AnyConnect, then maybe only the servers/IPs of your own VPN gateways? If yes, then you could create an ACL on the WLC blocking the access to those IPs. 

@patoberli 

 

Yes, I did try the block of SSL and you're right, it blocks everything.  I don't want to block the use of AnyConnect, I want to block the use of AnyConnect for the sake of connecting to our network within our on-prem corporate guest SSID.

 

I have tried using various AVC, and ACL settings in the wifi connection.  I'm not as familiar with the NAM(TAC suggestion).  At this point I'm trying to control it within the Wireless Controller.

 

I've also heard of the suggestion of a DNS going nowhere.

 

Thanks for the reply.

In that case an ACL on the wireless controller blocking the access to your VPN gateways (plus one allowing everything else if I remember correctly) should do this. Please note, this has some differences depending on if you are running Flexconnect or not.
Alternatively, put an ACL on the firewall between the client guest network and your VPN gateways blocking the access to them.
You could also solve this with an ACL on the ASA blocking tcp/443 from the client guest IP range to the ASA external IP.
What I did in the end, I checked from time to time the logged in users on the ASA and directly wrote them an email to not use VPN and instead use the corporate SSID. And I told them that the use of VPN slows down the connection speed compared to the corporate VPN.
Content for Community-Ad