ASA - AnyConnect SSL VPN - Problems restricting client traffic with the "Webvpn Filter" command and Webtype ACL

Unanswered Question
Dec 9th, 2009

Hi,

I'm trying to restrict traffic of a AnyConnect (Client Based SSL VPN) WebVPN user. I am using a "Webtype" access-list to define the permitted http and cifs urls. Then I am applying the access-list in the user attributes webvpn mode using the "filter value acl" command. Unfortunately, the user still has access to all of the resources that all of the other webvpn users have. I don't want to setup a separate group policy for just one user and i'm not really confident that this filtering will work in the group policy if it doesn't work at the user level as the configuration seems exactly the same. User attributes are supposed to override group policy attributes anyway. Am I missing something here? When I looked up the webvpn filtering before trying this configuration I found that the "vpn-filter" command that is used on ipsec vpn's to do this same thing is not supposed to work at all on ssl vpns and that this was the method that I had to use. I'm kinda stuck here as I have checked out several different config guides and references on Cisco and none of them mention any other config steps then those below. I am pretty well versed in ipsec site to site's and ras vpn's but am pretty new to the ssl vpn technology. I'm starting to wonder if the webvpn filtering is only good on the "clientless" SSL VPN but most of the documentation treats the clientless the same as AnyConnect.

Any help from those that have done this or something similar before would be appreciated. I have gotten past the stage where advice from laymen would be interesting though.

ASA 5520, Ver 8.0(2)

Config:

access-list johndoe_webvpn_filter webtype permit url http://server1/*
access-list johndoe_webvpn_filter webtype permit url http://server2/*
access-list johndoe_webvpn_filter webtype permit url http://server3/*
access-list johndoe_webvpn_filter webtype permit url cifs://server4/*
access-list johndoe_webvpn_filter webtype permit url cifs://server5/*
access-list johndoe_webvpn_filter webtype permit url http://server6/*

username johndoe attributes
vpn-group-policy abc
service-type remote-access
webvpn
  filter value johndoe_webvpn_filter

Thanks,

Mark

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mark DeLong Wed, 12/09/2009 - 18:56

Nevermind. I answered my own question with a little testing. Seems I got too far down one road to test and didn't test the other one. Though I do wish that the AnyConnect configuration sections in the ASA cli config guides were a little more verbose as well as the config guides specifically for it. Anyway, the answer is that the "webvpn filter" command is just for the clientless (not client) ssl vpn. The "vpn-filter" command that can be used with the ipsec vpn client can also be used with the AnyConnect client to filter traffic.

Thanks for viewing my exercise in stupidity,

Mark

Actions

This Discussion