cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
768
Views
3
Helpful
9
Replies

Stop Anyconnect access from any devices

mangwendeelijah
Level 1
Level 1

I implemented anyconnect VPN in our environment, my problem now is thatone can connect from any device even home computers and access our RDPs etc. Any suggestions on how I can only allow devices from within our company? We also use Amazon Workspace

Thanks in advance

9 Replies 9

Hi

 When you implement VPN tunnels, you need to permit or deny which traffic will run inside the tunnel. There will be ACL for that.

there´s something more called split tunnel where you can define which traffic you willl keep inside the tunnel and which one you will let out the tunnel.

Hi Flavio

Thank you , I did the split tunneling and define traffic, only issue is we can connect from our anyconnect from any device or any workspace so long there is anycoonet you can establish the vpn connection and trying to stop that

access-list AnyConnect_SplitTnl; 1 elements; name hash: 0x69cf432b
access-list AnyConnect_SplitTnl line 1 standard permit 10.20.80.0 255.255.255.0 (hitcnt=0) 0xd086c2ff

Hi,

The only option you have is to apply an inbound ACL on the router in front of the ASA and control which IPs are allowed to connect TCP and UDP 443 to the ASA outside IP address.

Another option would be to apply a control-plane ACL on the ASA outside interface and statically define which IPs are allowed to connect to it.

 

BR,

Octavian

Hi OS

 

I tried the control plane, it was blocking the site to site vpn traffic, i allowed the site to site through control plane but it dint work

You are saying that if a device has not anyconnect you can not control via VPN ? This might be routing on the Firewall or ACL on the firewall. The traffic will come through the tunnel will be open by firewall and dropped on the local network.

The firewall needs to have route and the Core or other layer3 device must have route to return the traffic to firewall.

 

@mangwendeelijah if you don't have a PKI environment and cannot distribute certificates to corporate owned assets, you could use Dynamic Access Policy (DAP). DAP can check the endpoint connecting to the VPN to determine if joined to your AD domain and subsuquently permit access for corporate devices and deny access for personal devices.

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/cluster/ftd_dap_usecases.html

 

Thank you Rob I will try it