Cisco Anyconnect and preventing internal users from activating VPN on ASA

Hi All

I have been tasked with preventing internal users from activating and using the Anyconnect client while on our internal network.

What is the best approach to this?

1. ACL applied to the inside interface inbound?
2. Assigning an ACL to a split tunnel configuration?
3. Something else?

Thank you in advance for any help.

First of all I want to thank you all for your responses.

A little more information:

1. I just received access for the ASA
2. There is no NATing involved. This agency is using public IPs.
3. On the ASA the inside interface is shutdown.
4. The Anyconnect traffic is solid.
5. The network that needs to be denied internally is a /16

This is using split tunneling. I thought I could use tunnelexclude policy to deny but that does not work. Any other ideas? The anyconnect works fine; it’s just this agency wants to prevent any internal users from using that /16.

The best aproach is to disable vpn access on the ASA for the inside interface. Alternatively if they cant resolve dns it wont work.

You can configure trusted network detection. 99% sure this then disables the connect button:

just to clarify: what’s the behavior you want to deny ?

– dialing in into your own network from inside the lan
– dialing in into another companies vpn

If we‘re talking about the first one, you cannot do this with a acl.
An Acl will only filter through the firewall, not traffic towards the firewall.
I would think about a local dns pointer resolving the vpn url towards a black hole from inside the lan.

How do you do authentication? We handle this on our RADIUS server (Clearpass) for certain connection profiles. RADIUS gets all the info you need to do it (connection profile name, user’s IP), but your RADIUS server needs to be good enough / flexible enough to do it.

You can also do an ACL on the inbound interface, but that would apply to all connections/groups/users/etc…

DNS A record pointing to internal interface

Only enable AnyConnect on external interface.

For us the security fw is the core of the network. To get to the only vpn enabled interface on the asa you have to cross it and we block that traffic.

If the internal users goes to the internet through the same ASA as they VPN into you should disable anyconnect on the inside interface. It’s just a simple setting

Prevent activating anyconnect on windows machine? See your windows admin

It should only be open on the outside interface according to crypto IKE configs.

This is the way. Anything else is noise…

Bonus combine it with always on vpn for external connections if that is a desired workflow

For the first one, you can do it with an ACL if you apply the ACL to the control plane. Configure Control Plane Access Control Policies for Secure Firewall Threat Defense and ASA - Cisco

Yes for remote access vpn thats the only interface it should be enabled, except if you have some special network design.

is this “new” on your linked document it’s referenced to 9.18.3.
I was checking with cisco for something like that early 2023 to block vpn from various countries and was told “sorry no way to do that”

It’s not new, you’ve been able to apply ACLs to the control plane for some time. However you only get extended ALCs, you cannot have it traverse the firepower engine for geolocation. So there still is no way to block various countries as you stated. You’d have to do it by IP which is kind of nuts.

well today i added 2000 lines of ACLs to each of my deployments.

Had to increase the ASDM memory afterwards

lol at least it will reduce the noise!