Restricting VPN client to specific inside IP's

Unanswered Question
May 17th, 2007
User Badges:

I want to setup ipsec vpn so that certain vendors can access their server behind the ASA5510, and only their server without using a radius server. What is the best way to accomplish this and what documentation can I use?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tahequivoice Mon, 05/21/2007 - 05:23
User Badges:

Wow I cant believe no one has replied to this? Makes me wonder if it can be done or not.

acomiskey Mon, 05/21/2007 - 05:32
User Badges:
  • Green, 3000 points or more

Sure it can. Can you give us a little more intormation about how you have your vendors set up? Are they all under one tunnel group/policy, do they authenticate via the LOCAL database on the ASA? You have several options here so knowing how you are currently set up will point us in the right direction for you.

Here's one possibility, you can assign a vpn-filter on a specific tunnel group policy or per user account on ASA.

tahequivoice Mon, 05/21/2007 - 05:41
User Badges:

Nothing has been built yet, we are in the consulting stage and this is one of the questions that came up. I kind of thought it is possible, but need to verify 100% before saying yes. I just now found a document on Cisco site, pain in the butt trying to find what you need, have toplay with the search wording, but finally hit upon the right words. asdm-restrict-remot-net-access.pdf is what I was looking for. I havent had a chance to read through it yet, but it appears that I can do this without the use of a Radius server.

acomiskey Mon, 05/21/2007 - 05:51
User Badges:
  • Green, 3000 points or more

That is the document I referenced above. It goes over creating a vpn-filter which defines an acl which is assigned to a tunnel group policy. You can also assign these vpn-filters to individual users in the ASA local database.

Another option is to simply create different tunnel groups and/or group policies specifying the interesting traffic/nat exemption/split tunnel acl's to only include access to specific devices.


This Discussion