Restricting access to Web Portal Client SSL VPN Cisco ASA

Unanswered Question
Jun 2nd, 2009

Hi all,

We have recently setup a Cisco ASA 5520 to provide a clientless SSL VPN via the web portal for our staff.

My question is, how do i restrict access to the webportal to certain IP addresses/ranges?

Basically, the clientless SSL VPN is enabled on both the inside and outside interfaces.

With the outside interface, we would like anyone from any IP to be able to access the portal. From the inside interface, we would only like members of a certain subnet to be able to log onto the portal, or even get access to it. This is to stop out limited SSL licenses from being tied up by people using the system internally.

My current understanding is that the VPN traffic bypasses the interface ACLs. is there anyway for me to get the SSL connections coming into the inside interface to be subject to these ACLs?

Any help much appreciated,

Many thanks


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Todd Pula Tue, 06/02/2009 - 08:33

You could achieve this using control plane policing.

access-list cplane permit tcp host host eq 443

access-list cplane deny tcp any host eq 443

access-group cplane in interface inside control-plane

Michael Wheeler Wed, 04/08/2015 - 10:39

We tried this to limit the IP ranges of who can access the ASA  Portal page but even at the Control Plane level it won't limit the https access on the outside interface.




This Discussion