ASA 5520 v7.2 - Restrict Remote Access VPN to a specific object-group

Unanswered Question
May 30th, 2007
User Badges:

Hi to all,


I would like to know how I can restrict the users (by source IP) that can access to a specific object-group.


In my case I have different groups to establish a VPN with the internal networks for different intentions, one of them if for manage the servers and only must be allowed for some specific publics IP that I know and all the others object-groups should be allowed from any IP.


acomiskey advise me that I could disable "sysopt connection permit-vpn" and create an access-list for the VPN traffic but it would restrict all the other object-groups and it isn't possible for me.


Thanks and regards,


Fernando.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
ggilbert Wed, 05/30/2007 - 07:13
User Badges:
  • Cisco Employee,

Fernando,


For the VPN clients to be connected only from specific IP address, its convoluted with the "no sysopt connection permit-vpn" command since you need to add access-list to permit all the clients and deny only some.


But I would suggest that you use the user authentication method to assign them to a group and create a vpn-filter to allow access to specific internal networks.


Hope this works out for you.


Rate this post, if it does.


Cheers

Gilbert

networkingib Wed, 05/30/2007 - 10:01
User Badges:

Hi Gilbert,


First of all, thanks for your reply.


But I don't know if you didn't understand my question since I think that it doesn't cover my needs. I will try to explain better:


I have different VPN groups any of them with different clients (users) and only for one of the groups I would like to restrict the access to only some public IPs (two or three) so that in order that an authorized user was able to mount a VPN tunnel using that group the user has to have a valid account and have to be connected from a specific IP like a double security method.


Regards, Fernando.

ggilbert Wed, 05/30/2007 - 10:17
User Badges:
  • Cisco Employee,

Fernando,


Restriction on a public IP address - NO.


Restriction on a specific user to a specific tunnel-group - YEs.


Use the group-lock feature on the group-policy. :)


BTW, thank you very much for explaining. Much appreciated.


Cheers

Gilbert

networkingib Wed, 05/30/2007 - 10:24
User Badges:

Hi Gilbert,


Then, if I understood you well, it is not possible to do what I want.


That are bad news for me, so I will have to look for another way of doing this more secure.


Kind Regards, Fernando.

Actions

This Discussion