Restricting access to Web Portal Client SSL VPN Cisco ASA

jonathanaxford · ‎06-02-2009

Hi all,

We have recently setup a Cisco ASA 5520 to provide a clientless SSL VPN via the web portal for our staff.

My question is, how do i restrict access to the webportal to certain IP addresses/ranges?

Basically, the clientless SSL VPN is enabled on both the inside and outside interfaces.

With the outside interface, we would like anyone from any IP to be able to access the portal. From the inside interface, we would only like members of a certain subnet to be able to log onto the portal, or even get access to it. This is to stop out limited SSL licenses from being tied up by people using the system internally.

My current understanding is that the VPN traffic bypasses the interface ACLs. is there anyway for me to get the SSL connections coming into the inside interface to be subject to these ACLs?

Any help much appreciated,

Many thanks

JOnathan

Todd Pula · ‎06-02-2009

You could achieve this using control plane policing.

access-list cplane permit tcp host 1.1.1.1 host 2.2.2.2 eq 443

access-list cplane deny tcp any host 2.2.2.2 eq 443

access-group cplane in interface inside control-plane

Byron Bohlsen · ‎04-08-2015

We tried this to limit the IP ranges of who can access the ASA Portal page but even at the Control Plane level it won't limit the https access on the outside interface.