Cisco ASA - Restrict IP for WebVPN access
Solution 1
In the meantime I've found out that there is no exact solution for this problem :(
According to Cisco Support Forums, there is no way to block webvpn using access lists.
Possible solutions to the problem are:
- Place another router (Netgear, Cisco 800, ...) with firewall in front of the ASA
- Try (legacy) IPsec VPN client
- In my case, a Site-to-Site VPN would also be possible
Solution 2
first define the extended ACL that permits specific source-adresses for VPN/WEBVPN, I have used the name internet
ciscoasa(config)# access-list internet extended permit tcp host 59.59.59.140 any
ciscoasa(config)# access-list internet extended deny ip any any
then bind the extended ACL with the access-group command and the option control-plane together
ciscoasa(config)# access-group internet in interface outside control-plane
this should work with your version 8.x (ASA command reference lists this option in 8.x)
markus
Updated on September 18, 2022Comments
-
markus over 1 year
I've got a Cisco ASA5510 with Firmware Version 8.0(5).
I'd like to restrict the source IPs that are allowed to access the Router through WebVPN (port 443). Here is the relevant part of the config.access-list outside_access_in extended permit ip host 59.59.59.140 any access-list outside_access_in extended deny ip any any [...] access-group outside_access_in in interface outside [...] webvpn enable outside svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 1 svc enable tunnel-group-list enable
Still, my webvpn port is available from all over the world. How can I fix this?
-
Zeb over 6 yearsThis is the correct answer. It works, I have personally verified it. Note that if you apply this restriction, it will also apply to IPSec coming in, so you might want to permit udp/500, udp/4500, eh and esp.
-
Zeb over 6 yearsThis answer is factually incorrect, tekcert.com and @Roli's answers are correct.