cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
367
Views
0
Helpful
4
Replies

Restricting VPN client to specific inside IP's

tahequivoice
Level 2
Level 2

I want to setup ipsec vpn so that certain vendors can access their server behind the ASA5510, and only their server without using a radius server. What is the best way to accomplish this and what documentation can I use?

4 Replies 4

tahequivoice
Level 2
Level 2

Wow I cant believe no one has replied to this? Makes me wonder if it can be done or not.

Sure it can. Can you give us a little more intormation about how you have your vendors set up? Are they all under one tunnel group/policy, do they authenticate via the LOCAL database on the ASA? You have several options here so knowing how you are currently set up will point us in the right direction for you.

Here's one possibility, you can assign a vpn-filter on a specific tunnel group policy or per user account on ASA.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Nothing has been built yet, we are in the consulting stage and this is one of the questions that came up. I kind of thought it is possible, but need to verify 100% before saying yes. I just now found a document on Cisco site, pain in the butt trying to find what you need, have toplay with the search wording, but finally hit upon the right words. asdm-restrict-remot-net-access.pdf is what I was looking for. I havent had a chance to read through it yet, but it appears that I can do this without the use of a Radius server.

That is the document I referenced above. It goes over creating a vpn-filter which defines an acl which is assigned to a tunnel group policy. You can also assign these vpn-filters to individual users in the ASA local database.

Another option is to simply create different tunnel groups and/or group policies specifying the interesting traffic/nat exemption/split tunnel acl's to only include access to specific devices.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: