Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restricted access (only to allowed ip addresses) to asa http server for AnyConnect and Certificates Download.

Hello Guys,

S.O.S....

Right  now, every one can go to ASA FW via browser (ip address specified on my  outside interface) and connect, download certificates and AnyConnect  client with assigned uname and password.

What i am trying to do is:

Configure  my asa to allow only specific hosts, my anyconnect vpn users (with them  specific ip addresses) that will be able to get to ASA 5510 via browser  to (login, download the certificate, and download AnyConnect client),  and this way avoid my ip address published to everyone in the internet.

I have the fallowing statement, but it looks like it's not really helpfull in my situation.

access-list outside_access_in extended permit tcp host x.x.x.x host y.y.y.y  eq zzzz

access-list outside_access_in extended permit tcp host a.a.a.a host b.b.b.b eq cccc

access-group outside_access_in in interface outside

Not  sure, if there is an emplicit Deny for any any on this ACL, but if I  add it to the access list, i can still get to the publeshed ip address  from any ip and I am still always seeing ASA web login page with "group,  uname and pwd"

Is  there a way to do that? Is there a way to apply an ACL to the  integraded web server on the ASA 5510 itself to avoid everyone getting  into my login page from ASA 5510?

Any tip regarding this matter is deeply appreciated,

Regards,

M

Also posted on Other Security Subjects, sorry for double post, not sure where exactly does that kind of issue belongs to.

8 REPLIES
Cisco Employee

Re: Restricted access (only to allowed ip addresses) to asa http

No, unfortunately you can't restrict who can access the VPN with access-list when you terminate the VPN on the ASA itself. VPN traffic is not checked against access-list applied on the outside interface.

New Member

Re: Restricted access (only to allowed ip addresses) to asa http

Thank You Jennifer,

I am not looking to restrict VPN Clients with ACL applied on the outside interface, for business needs I have Certificates to identify the machines and uname / pwd to identify our users.

What I am looking to restrict is: ASA's web server that is being published to the internet to avoid everyone who can get to this address.

Is this possible ?

And regarding VPN Users, Can I specify somewhere in the Client Profile my white list of the IP Addresses. To allow users to get connected to my asa via vpn only from specific IP addresses?

Regards,

M.

Cisco Employee

Re: Restricted access (only to allowed ip addresses) to asa http

Do you mean the ASDM access from the outside? If it is, then yes, you can restrict that with the following command:

http outside

But if you mean the webvpn/AnyConnect termination, then no, you can't restrict those with ip address.

You can however do DAP (Dynamic Access Policy) to check if a certain things within the user's laptop exists (eg: registry settings specific, or a specific file, etc), and allow access to those users accordingly if you would like to tighten the security.

New Member

Re: Restricted access (only to allowed ip addresses) to asa http

Thank You Jennifer,

No, I didn't mean ASDM, this part it is clear enough, only specific addresses can go to asdm or ssh. Like you mentioned it before.

What I am looking for is to specify the ip addresses that are gonna be able to open Asa fw ip address in the browser. But no buddy else. I know that i am letting my outside interface to receive anyconnect clients. This part is clear also.

My question is, can I restrict my web access to Asa fw from outside? To avoid all kind of unwanted visitors... When I say web access I mean the web page generated by Asa fw to get the certificate and any connect client.

Regards,

M.

New Member

Re: Restricted access (only to allowed ip addresses) to asa http

Hi Jennifer,

I was looking for some work arrounds for my problem, I am not sure but may be you can answer this question.

I have my VPN users, can I disable my web server and enable it only when i add a new VPN user .. Will the VPN process work just fine without having a public web server from ASA's end? Will my VPN user still be able to login without any issue ?

Regards,

Max..

Cisco Employee

Re: Restricted access (only to allowed ip addresses) to asa http

I really am not too sure I understand what you mean by public web server on the ASA.

SSL VPN on ASA uses TCP/443 which for the VPN protocol and same for HTTPS. You can either enable or disable your SSL VPN termination on the ASA. I am not sure I understand what you mean by disabling the web server and enable it when you add new VPN user?

TCP/443 on ASA is used for 2 purposes:

1) ASDM

2) SSL VPN

You can however, always change it to a different port, eg: port 8443 for example.

New Member

Re: Restricted access (only to allowed ip addresses) to asa http

Thank You Jennifer,

This is an option too. What I ment by the web server is:

The generated content that you can find via browser when you type your outside interface ip address in the browser itself. I want to disable this content to be printed in the browser at all. What i want to see in the browser its a page that will tell you that the page you are looking for does not exist. And keep my vpn users operational at the same time..

Is there a way to remove, the function in ASA FW responsible of publishing the login web page for vpn users without affecting my clients that already have them certificates and anyconnect vpn clien installed on them machines?

Regards,

Max

Cisco Employee

Re: Restricted access (only to allowed ip addresses) to asa http

You can potentially disable the "webvpn" vpn protocol in your group-policy, and only leave "svc" for the vpn protocol, and also remove the AnyConnect client from automatically being downloaded to your user's PC, and for every new user, you need to manually download and install the AnyConnect software on their PC. Maybe that is an option.

3071
Views
0
Helpful
8
Replies