03-28-2023 06:50 AM
I implemented anyconnect VPN in our environment, my problem now is thatone can connect from any device even home computers and access our RDPs etc. Any suggestions on how I can only allow devices from within our company? We also use Amazon Workspace
Thanks in advance
03-28-2023 06:55 AM
Hi
When you implement VPN tunnels, you need to permit or deny which traffic will run inside the tunnel. There will be ACL for that.
there´s something more called split tunnel where you can define which traffic you willl keep inside the tunnel and which one you will let out the tunnel.
03-28-2023 07:21 AM
Hi Flavio
Thank you , I did the split tunneling and define traffic, only issue is we can connect from our anyconnect from any device or any workspace so long there is anycoonet you can establish the vpn connection and trying to stop that
access-list AnyConnect_SplitTnl; 1 elements; name hash: 0x69cf432b
access-list AnyConnect_SplitTnl line 1 standard permit 10.20.80.0 255.255.255.0 (hitcnt=0) 0xd086c2ff
03-28-2023 07:40 AM - edited 03-28-2023 07:41 AM
Hi,
The only option you have is to apply an inbound ACL on the router in front of the ASA and control which IPs are allowed to connect TCP and UDP 443 to the ASA outside IP address.
Another option would be to apply a control-plane ACL on the ASA outside interface and statically define which IPs are allowed to connect to it.
BR,
Octavian
03-28-2023 08:52 AM
Hi OS
I tried the control plane, it was blocking the site to site vpn traffic, i allowed the site to site through control plane but it dint work
03-28-2023 07:53 AM
You are saying that if a device has not anyconnect you can not control via VPN ? This might be routing on the Firewall or ACL on the firewall. The traffic will come through the tunnel will be open by firewall and dropped on the local network.
The firewall needs to have route and the Core or other layer3 device must have route to return the traffic to firewall.
03-28-2023 06:55 AM
If you looking only device to connect - then you need to use Certs on PC (owned by company)
ASA :
example (post with FTD)
03-28-2023 07:08 AM
@mangwendeelijah if you don't have a PKI environment and cannot distribute certificates to corporate owned assets, you could use Dynamic Access Policy (DAP). DAP can check the endpoint connecting to the VPN to determine if joined to your AD domain and subsuquently permit access for corporate devices and deny access for personal devices.
03-29-2023 01:20 AM
Thank you Rob I will try it
03-28-2023 07:49 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide