ASA 5520 v7.2 - Restrict Remote Access VPN to a specific object-group

Unanswered Question
May 30th, 2007
User Badges:

Hi to all,

I would like to know how I can restrict the users (by source IP) that can access to a specific object-group.

In my case I have different groups to establish a VPN with the internal networks for different intentions, one of them if for manage the servers and only must be allowed for some specific publics IP that I know and all the others object-groups should be allowed from any IP.

acomiskey advise me that I could disable "sysopt connection permit-vpn" and create an access-list for the VPN traffic but it would restrict all the other object-groups and it isn't possible for me.

Thanks and regards,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
ggilbert Wed, 05/30/2007 - 07:13
User Badges:
  • Cisco Employee,


For the VPN clients to be connected only from specific IP address, its convoluted with the "no sysopt connection permit-vpn" command since you need to add access-list to permit all the clients and deny only some.

But I would suggest that you use the user authentication method to assign them to a group and create a vpn-filter to allow access to specific internal networks.

Hope this works out for you.

Rate this post, if it does.



networkingib Wed, 05/30/2007 - 10:01
User Badges:

Hi Gilbert,

First of all, thanks for your reply.

But I don't know if you didn't understand my question since I think that it doesn't cover my needs. I will try to explain better:

I have different VPN groups any of them with different clients (users) and only for one of the groups I would like to restrict the access to only some public IPs (two or three) so that in order that an authorized user was able to mount a VPN tunnel using that group the user has to have a valid account and have to be connected from a specific IP like a double security method.

Regards, Fernando.

ggilbert Wed, 05/30/2007 - 10:17
User Badges:
  • Cisco Employee,


Restriction on a public IP address - NO.

Restriction on a specific user to a specific tunnel-group - YEs.

Use the group-lock feature on the group-policy. :)

BTW, thank you very much for explaining. Much appreciated.



networkingib Wed, 05/30/2007 - 10:24
User Badges:

Hi Gilbert,

Then, if I understood you well, it is not possible to do what I want.

That are bad news for me, so I will have to look for another way of doing this more secure.

Kind Regards, Fernando.


This Discussion