I have an ASA (8.2.1) running IPSec and Anyconnect. The other day I noticed someone was trying to brute force the Anyconnect connection.
Doing what felt natural, I tried blocking using my outside ACL. It appears that this ACL protects my internal hosts nicely, but fails to do anything for the services sitting on the firewall itself.
I can use shun, but the address range that the attack comes from are from a range my internal hosts might want to utilize for other reasons.
One could assume my outside_in access-list looks as such:
access-list outside_in line 1 extended deny ip 220.127.116.11 255.255.0.0 any
access-group outside_in in interface outside
I would like a way to deny traffic to my ASA's Anyconnect Service, but I would like the granularity to block just HTTPS.
An edge device beyond the ASA is not available to me, so any solution would have to be based in the ASA.
Thanks in advance.
The only way to restrict by IP address who can or can't establish a VPN connection to the ASA is with an ACL applied to the outside interface (using the control-plane keywork in the access-group command to apply the ACL to traffic intended to the ASA itself as well as traffic passing through).
The problem with this, is that nobody from the IP address will be able to establish a VPN connection to the ASA.
The other alternative is with an ACS server (assuming you have one), create a filter as to which IP addresses can establish a VPN connection. This option is better in the sense that it allows you to do the restrictions based on VPN profiles.