Controlling access to webvpn login page

Unanswered Question
Mar 21st, 2008

Hi,

I have installed an ASA in an environment that I know the source IP's of every connection that will require VPN access using Cisco AnyConnect only.

So they connect to the VPN in their browser using https://ip of outside interface, and everything is ok.

My goal is to only allow those clients to see our login page. I do not want anyone outside of the IP's I know about to even get prompted. Since the termination point resides on the outside interface itself I am finding this difficult to do. Any ideas?

Thanks,

J

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jdsuhr Thu, 09/11/2008 - 07:41

I know this topic is a bit old, but I've been dealing with the same situation and have finally come upon an answer. I'm adding it to this thread for posterity.

Running ASA 8.0(4) code (8.0.3 had a bug that affected this behavior), you can utilize an access list on the control plane to control inbound traffic to the ASA.

The steps are as follows:

1) Add the necessary lines to your outside interface's ACL to permit inbound traffic from your VPN pool addresses to your internal networks, then from global config mode, type "no sysopt connection permit-vpn". Note that if you're using lan-to-lan VPNs or other software-based VPN clients, you'll also need to add lines to permit that inbound VPN traffic on the outside (esp/protocol 50, ISAKMP, IPSec), because disabling sysopt connect permit-vpn no longer allows all IPSec traffic without the associated ACL entries existing.

2) Build a new access list for your control plane. This ACL will permit inbound connectivity to your ASA's outside interface IP address from whatever sources you wish to permit. So, if your ASA's outside IP is 1.1.1.1 and your AnyConnect client's IP is 9.9.9.9, you'd have the following ACL to permit AnyConnect traffic:

access-list outside-cplane permit tcp host 9.9.9.9 host 1.1.1.1 eq 443

access-list outside-cplane permit udp host 9.9.9.9 host 1.1.1.1 eq 443

access-list outside-cplane deny ip any any

****note 1: UDP/443 is needed for DTLS functionality.

****note 2: if you need to permit ssh or ASDM from any external subnets to the outside interface, you'll also need to permit that traffic here (in addition to allowing it with the device management command sets). This ACL will be controlling ANY traffic destined for your ASA's outside interface, not just SSL VPN traffic.

****note 3: the "deny" statement at the end of this ACL is necessary. For some reason, the usual implicit deny statement on this ACL is either nonexistent or nonfunctional, I'm not sure which.

3) Apply your new access list to the outside interface's control plane:

access-group outside-cplane in interface outside control-plane

This should get you to where you need to be. Hope it saves someone else a TAC case.

Actions

This Discussion