Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
0
Helpful
2
Replies

Controlling access to webvpn login page

jasonpuskarich
Level 1
Level 1

‎03-21-2008 02:41 AM

Hi,

I have installed an ASA in an environment that I know the source IP's of every connection that will require VPN access using Cisco AnyConnect only.

So they connect to the VPN in their browser using https://ip of outside interface, and everything is ok.

My goal is to only allow those clients to see our login page. I do not want anyone outside of the IP's I know about to even get prompted. Since the termination point resides on the outside interface itself I am finding this difficult to do. Any ideas?

Thanks,

J

Labels:
0 Helpful
2 Replies 2

irisrios
Level 6
Level 6

‎03-27-2008 07:35 AM

You can use LDAP authentication to authenticate the users. For step by step instruction refer to URL http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808c3c45.shtml.

0 Helpful

jdsuhr
Level 1
Level 1

‎09-11-2008 07:41 AM

I know this topic is a bit old, but I've been dealing with the same situation and have finally come upon an answer. I'm adding it to this thread for posterity.

Running ASA 8.0(4) code (8.0.3 had a bug that affected this behavior), you can utilize an access list on the control plane to control inbound traffic to the ASA.

The steps are as follows:

1) Add the necessary lines to your outside interface's ACL to permit inbound traffic from your VPN pool addresses to your internal networks, then from global config mode, type "no sysopt connection permit-vpn". Note that if you're using lan-to-lan VPNs or other software-based VPN clients, you'll also need to add lines to permit that inbound VPN traffic on the outside (esp/protocol 50, ISAKMP, IPSec), because disabling sysopt connect permit-vpn no longer allows all IPSec traffic without the associated ACL entries existing.

2) Build a new access list for your control plane. This ACL will permit inbound connectivity to your ASA's outside interface IP address from whatever sources you wish to permit. So, if your ASA's outside IP is 1.1.1.1 and your AnyConnect client's IP is 9.9.9.9, you'd have the following ACL to permit AnyConnect traffic:

access-list outside-cplane permit tcp host 9.9.9.9 host 1.1.1.1 eq 443

access-list outside-cplane permit udp host 9.9.9.9 host 1.1.1.1 eq 443

access-list outside-cplane deny ip any any

****note 1: UDP/443 is needed for DTLS functionality.

****note 2: if you need to permit ssh or ASDM from any external subnets to the outside interface, you'll also need to permit that traffic here (in addition to allowing it with the device management command sets). This ACL will be controlling ANY traffic destined for your ASA's outside interface, not just SSL VPN traffic.

****note 3: the "deny" statement at the end of this ACL is necessary. For some reason, the usual implicit deny statement on this ACL is either nonexistent or nonfunctional, I'm not sure which.

3) Apply your new access list to the outside interface's control plane:

access-group outside-cplane in interface outside control-plane

This should get you to where you need to be. Hope it saves someone else a TAC case.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents