Solved: How to restrict SSL-VPN user from connect using IP address

muath1987 · ‎07-15-2018

Hello,

we configured SSL-VPN and enable certificate on this connection, the user now can connect through FQDN or IP address but when they connect through IP they receive warning and then they can pass it, Is there any way to preventt the user from connect using IP address and allow them to connect only through FQDN ?

Thank you

Marvin Rhoads · ‎07-15-2018

No it's not possible to configure the ASA not to accept such requests as that is how they come to it even when the client uses the FQDN.

Think about it - the client application (AnyConnect) uses an FQDN and the first thing that happens is the client OS uses DNS to resolve to an IP address. That IP address is then used to contact the gateway. AnyConnect keeps track of the fact that the FQDN was called and verifies the certificate Common Name (CN) matches the FQDN. All the actual communications at the IP layer are using IP addresses though.

View solution in original post

Marvin Rhoads · ‎07-15-2018

No it's not possible to configure the ASA not to accept such requests as that is how they come to it even when the client uses the FQDN.

Think about it - the client application (AnyConnect) uses an FQDN and the first thing that happens is the client OS uses DNS to resolve to an IP address. That IP address is then used to contact the gateway. AnyConnect keeps track of the fact that the FQDN was called and verifies the certificate Common Name (CN) matches the FQDN. All the actual communications at the IP layer are using IP addresses though.