cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
484
Views
0
Helpful
3
Replies

Restrict RemoteAccess VPN to ASA 5520 v 7.2

networkingib
Level 1
Level 1

Hi to all,

I would like to know how I can restrict the hosts that can establish a Remote Access VPN with my ASA.

For exaple I would like to allow some publics IP and deny all the others.

I have been looking in the manuals and the web but I haven't be able to find a solution.

Thanks and regards,

Fernando.

3 Replies 3

acomiskey
Level 10
Level 10

Fernando,

If you want to restrict who can establish a vpn, look at the "sysopt connection permit-vpn" command. Disabling this will allow you to restrict access to particular addresses with interface access-lists.

If you are interested in filtering traffic after the session has been established, then you are looking for this...

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

Hi acomiskey,

First of all, thanks for your reply.

You said:

"If you want to restrict who can establish a vpn, look at the "sysopt connection permit-vpn" command. Disabling this will allow you to restrict access to particular addresses with interface access-lists."

I was looking for something similar to this but for be applied to the object-group. I will go more in deep. I have tow different groups for the VPN, one for management that would need to be filtered to allow only some public IPs and another VPN for office users that would be able to access from any public IP. So that, if I would use your solution it would deny the access for the office users.

Could be possible to do it in another way?

Kind Regards, Fernando.

Hi,

If you have an ACS, you can send attributes to the ASA to block IPsec tunnel attempts to the ASA based on profiles.

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: