Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Controlling access to webvpn login page


I have installed an ASA in an environment that I know the source IP's of every connection that will require VPN access using Cisco AnyConnect only.

So they connect to the VPN in their browser using https://ip of outside interface, and everything is ok.

My goal is to only allow those clients to see our login page. I do not want anyone outside of the IP's I know about to even get prompted. Since the termination point resides on the outside interface itself I am finding this difficult to do. Any ideas?




Re: Controlling access to webvpn login page

You can use LDAP authentication to authenticate the users. For step by step instruction refer to URL

New Member

Re: Controlling access to webvpn login page

I know this topic is a bit old, but I've been dealing with the same situation and have finally come upon an answer. I'm adding it to this thread for posterity.

Running ASA 8.0(4) code (8.0.3 had a bug that affected this behavior), you can utilize an access list on the control plane to control inbound traffic to the ASA.

The steps are as follows:

1) Add the necessary lines to your outside interface's ACL to permit inbound traffic from your VPN pool addresses to your internal networks, then from global config mode, type "no sysopt connection permit-vpn". Note that if you're using lan-to-lan VPNs or other software-based VPN clients, you'll also need to add lines to permit that inbound VPN traffic on the outside (esp/protocol 50, ISAKMP, IPSec), because disabling sysopt connect permit-vpn no longer allows all IPSec traffic without the associated ACL entries existing.

2) Build a new access list for your control plane. This ACL will permit inbound connectivity to your ASA's outside interface IP address from whatever sources you wish to permit. So, if your ASA's outside IP is and your AnyConnect client's IP is, you'd have the following ACL to permit AnyConnect traffic:

access-list outside-cplane permit tcp host host eq 443

access-list outside-cplane permit udp host host eq 443

access-list outside-cplane deny ip any any

****note 1: UDP/443 is needed for DTLS functionality.

****note 2: if you need to permit ssh or ASDM from any external subnets to the outside interface, you'll also need to permit that traffic here (in addition to allowing it with the device management command sets). This ACL will be controlling ANY traffic destined for your ASA's outside interface, not just SSL VPN traffic.

****note 3: the "deny" statement at the end of this ACL is necessary. For some reason, the usual implicit deny statement on this ACL is either nonexistent or nonfunctional, I'm not sure which.

3) Apply your new access list to the outside interface's control plane:

access-group outside-cplane in interface outside control-plane

This should get you to where you need to be. Hope it saves someone else a TAC case.