Right now, every one can go to ASA FW via browser (ip address specified on my outside interface) and connect, download certificates and AnyConnect client with assigned uname and password.
What i am trying to do is:
Configure my asa to allow only specific hosts, my anyconnect vpn users (with them specific ip addresses) that will be able to get to ASA 5510 via browser to (login, download the certificate, and download AnyConnect client), and this way avoid my ip address published to everyone in the internet.
I have the fallowing statement, but it looks like it's not really helpfull in my situation.
access-list outside_access_in extended permit tcp host x.x.x.x host y.y.y.y eq zzzz
access-list outside_access_in extended permit tcp host a.a.a.a host b.b.b.b eq cccc
access-group outside_access_in in interface outside
Not sure, if there is an emplicit Deny for any any on this ACL, but if I add it to the access list, i can still get to the publeshed ip address from any ip and I am still always seeing ASA web login page with "group, uname and pwd"
Is there a way to do that? Is there a way to apply an ACL to the integraded web server on the ASA 5510 itself to avoid everyone getting into my login page from ASA 5510?
Any tip regarding this matter is deeply appreciated,
Also posted on Other Security Subjects, sorry for double post, not sure where exactly does that kind of issue belongs to.
No, unfortunately you can't restrict who can access the VPN with access-list when you terminate the VPN on the ASA itself. VPN traffic is not checked against access-list applied on the outside interface.
Thank You Jennifer,
I am not looking to restrict VPN Clients with ACL applied on the outside interface, for business needs I have Certificates to identify the machines and uname / pwd to identify our users.
What I am looking to restrict is: ASA's web server that is being published to the internet to avoid everyone who can get to this address.
Is this possible ?
And regarding VPN Users, Can I specify somewhere in the Client Profile my white list of the IP Addresses. To allow users to get connected to my asa via vpn only from specific IP addresses?
Do you mean the ASDM access from the outside? If it is, then yes, you can restrict that with the following command:
But if you mean the webvpn/AnyConnect termination, then no, you can't restrict those with ip address.
You can however do DAP (Dynamic Access Policy) to check if a certain things within the user's laptop exists (eg: registry settings specific, or a specific file, etc), and allow access to those users accordingly if you would like to tighten the security.
Thank You Jennifer,
No, I didn't mean ASDM, this part it is clear enough, only specific addresses can go to asdm or ssh. Like you mentioned it before.
What I am looking for is to specify the ip addresses that are gonna be able to open Asa fw ip address in the browser. But no buddy else. I know that i am letting my outside interface to receive anyconnect clients. This part is clear also.
My question is, can I restrict my web access to Asa fw from outside? To avoid all kind of unwanted visitors... When I say web access I mean the web page generated by Asa fw to get the certificate and any connect client.
I was looking for some work arrounds for my problem, I am not sure but may be you can answer this question.
I have my VPN users, can I disable my web server and enable it only when i add a new VPN user .. Will the VPN process work just fine without having a public web server from ASA's end? Will my VPN user still be able to login without any issue ?
I really am not too sure I understand what you mean by public web server on the ASA.
SSL VPN on ASA uses TCP/443 which for the VPN protocol and same for HTTPS. You can either enable or disable your SSL VPN termination on the ASA. I am not sure I understand what you mean by disabling the web server and enable it when you add new VPN user?
TCP/443 on ASA is used for 2 purposes:
2) SSL VPN
You can however, always change it to a different port, eg: port 8443 for example.
Thank You Jennifer,
This is an option too. What I ment by the web server is:
The generated content that you can find via browser when you type your outside interface ip address in the browser itself. I want to disable this content to be printed in the browser at all. What i want to see in the browser its a page that will tell you that the page you are looking for does not exist. And keep my vpn users operational at the same time..
Is there a way to remove, the function in ASA FW responsible of publishing the login web page for vpn users without affecting my clients that already have them certificates and anyconnect vpn clien installed on them machines?
You can potentially disable the "webvpn" vpn protocol in your group-policy, and only leave "svc" for the vpn protocol, and also remove the AnyConnect client from automatically being downloaded to your user's PC, and for every new user, you need to manually download and install the AnyConnect software on their PC. Maybe that is an option.