Cisco ASA - Restrict IP for WebVPN access

vpn cisco cisco-asa
5,970

Solution 1

In the meantime I've found out that there is no exact solution for this problem :(

According to Cisco Support Forums, there is no way to block webvpn using access lists.

Possible solutions to the problem are:

  • Place another router (Netgear, Cisco 800, ...) with firewall in front of the ASA
  • Try (legacy) IPsec VPN client
  • In my case, a Site-to-Site VPN would also be possible

Solution 2

first define the extended ACL that permits specific source-adresses for VPN/WEBVPN, I have used the name internet 

ciscoasa(config)# access-list internet extended permit tcp host 59.59.59.140 any
ciscoasa(config)# access-list internet extended deny ip any any

then bind the extended ACL with the access-group command and the option control-plane together

ciscoasa(config)# access-group internet in interface outside control-plane

this should work with your version 8.x (ASA command reference lists this option in 8.x)

Share:
5,970
markus
Author by

markus

Updated on September 18, 2022

Comments

  • markus
    markus over 1 year

    I've got a Cisco ASA5510 with Firmware Version 8.0(5).
    I'd like to restrict the source IPs that are allowed to access the Router through WebVPN (port 443). Here is the relevant part of the config. 

    access-list outside_access_in extended permit ip host 59.59.59.140 any
access-list outside_access_in extended deny ip any any
[...]
access-group outside_access_in in interface outside
[...]
webvpn
 enable outside
 svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1
 svc enable
 tunnel-group-list enable

    Still, my webvpn port is available from all over the world. How can I fix this?

  • Zeb
    Zeb over 6 years
    This is the correct answer. It works, I have personally verified it. Note that if you apply this restriction, it will also apply to IPSec coming in, so you might want to permit udp/500, udp/4500, eh and esp.
  • Zeb
    Zeb over 6 years
    This answer is factually incorrect, tekcert.com and @Roli's answers are correct.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Can't access shared drive when connecting over VPN
Cisco ASA WebVPN RDP Plugin Fullscreen
Cisco Anyconnect: does it support Start Before Login (SBL) on Vista?
Cisco ASA VPN Uptime
configure a Cisco ASA to use MS-CHAP v2 for RADIUS authentication
Phase 2 Mismatch when connecting Windows 7 to ASA5505 VPN
Any problems usinga GoDaddy SSL certificate on a Cisco ASA firewall?
Cisco ASA 5505 - L2TP over IPsec
Cisco ASA - manually start a VPN tunnel
Cisco ASA: Allowing and Denying VPN Access based on membership to an AD group