Thank You Jennifer,

I am not looking to restrict VPN Clients with ACL applied on the outside interface, for business needs I have Certificates to identify the machines and uname / pwd to identify our users.

What I am looking to restrict is: ASA's web server that is being published to the internet to avoid everyone who can get to this address.

Is this possible ?

And regarding VPN Users, Can I specify somewhere in the Client Profile my white list of the IP Addresses. To allow users to get connected to my asa via vpn only from specific IP addresses?

Regards,

M.

Do you mean the ASDM access from the outside? If it is, then yes, you can restrict that with the following command:

http outside

But if you mean the webvpn/AnyConnect termination, then no, you can't restrict those with ip address.

You can however do DAP (Dynamic Access Policy) to check if a certain things within the user's laptop exists (eg: registry settings specific, or a specific file, etc), and allow access to those users accordingly if you would like to tighten the security.

Thank You Jennifer,

No, I didn't mean ASDM, this part it is clear enough, only specific addresses can go to asdm or ssh. Like you mentioned it before.

What I am looking for is to specify the ip addresses that are gonna be able to open Asa fw ip address in the browser. But no buddy else. I know that i am letting my outside interface to receive anyconnect clients. This part is clear also.

My question is, can I restrict my web access to Asa fw from outside? To avoid all kind of unwanted visitors... When I say web access I mean the web page generated by Asa fw to get the certificate and any connect client.

Regards,

M.

Hi Jennifer,

I was looking for some work arrounds for my problem, I am not sure but may be you can answer this question.

I have my VPN users, can I disable my web server and enable it only when i add a new VPN user .. Will the VPN process work just fine without having a public web server from ASA's end? Will my VPN user still be able to login without any issue ?

Regards,

Max..

I really am not too sure I understand what you mean by public web server on the ASA.

SSL VPN on ASA uses TCP/443 which for the VPN protocol and same for HTTPS. You can either enable or disable your SSL VPN termination on the ASA. I am not sure I understand what you mean by disabling the web server and enable it when you add new VPN user?

TCP/443 on ASA is used for 2 purposes:

1) ASDM

2) SSL VPN

You can however, always change it to a different port, eg: port 8443 for example.

Thank You Jennifer,

This is an option too. What I ment by the web server is:

The generated content that you can find via browser when you type your outside interface ip address in the browser itself. I want to disable this content to be printed in the browser at all. What i want to see in the browser its a page that will tell you that the page you are looking for does not exist. And keep my vpn users operational at the same time..

Is there a way to remove, the function in ASA FW responsible of publishing the login web page for vpn users without affecting my clients that already have them certificates and anyconnect vpn clien installed on them machines?

Regards,

Max

You can potentially disable the "webvpn" vpn protocol in your group-policy, and only leave "svc" for the vpn protocol, and also remove the AnyConnect client from automatically being downloaded to your user's PC, and for every new user, you need to manually download and install the AnyConnect software on their PC. Maybe that is an option.