I have installed an ASA in an environment that I know the source IP's of every connection that will require VPN access using Cisco AnyConnect only.
So they connect to the VPN in their browser using https://ip of outside interface, and everything is ok.
My goal is to only allow those clients to see our login page. I do not want anyone outside of the IP's I know about to even get prompted. Since the termination point resides on the outside interface itself I am finding this difficult to do. Any ideas?
I know this topic is a bit old, but I've been dealing with the same situation and have finally come upon an answer. I'm adding it to this thread for posterity.
Running ASA 8.0(4) code (8.0.3 had a bug that affected this behavior), you can utilize an access list on the control plane to control inbound traffic to the ASA.
The steps are as follows:
1) Add the necessary lines to your outside interface's ACL to permit inbound traffic from your VPN pool addresses to your internal networks, then from global config mode, type "no sysopt connection permit-vpn". Note that if you're using lan-to-lan VPNs or other software-based VPN clients, you'll also need to add lines to permit that inbound VPN traffic on the outside (esp/protocol 50, ISAKMP, IPSec), because disabling sysopt connect permit-vpn no longer allows all IPSec traffic without the associated ACL entries existing.
2) Build a new access list for your control plane. This ACL will permit inbound connectivity to your ASA's outside interface IP address from whatever sources you wish to permit. So, if your ASA's outside IP is 22.214.171.124 and your AnyConnect client's IP is 126.96.36.199, you'd have the following ACL to permit AnyConnect traffic:
****note 1: UDP/443 is needed for DTLS functionality.
****note 2: if you need to permit ssh or ASDM from any external subnets to the outside interface, you'll also need to permit that traffic here (in addition to allowing it with the device management command sets). This ACL will be controlling ANY traffic destined for your ASA's outside interface, not just SSL VPN traffic.
****note 3: the "deny" statement at the end of this ACL is necessary. For some reason, the usual implicit deny statement on this ACL is either nonexistent or nonfunctional, I'm not sure which.
3) Apply your new access list to the outside interface's control plane:
access-group outside-cplane in interface outside control-plane
This should get you to where you need to be. Hope it saves someone else a TAC case.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...