cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
427
Views
5
Helpful
4
Replies

ASA 5520 v7.2 - Restrict Remote Access VPN to a specific object-group

networkingib
Level 1
Level 1

Hi to all,

I would like to know how I can restrict the users (by source IP) that can access to a specific object-group.

In my case I have different groups to establish a VPN with the internal networks for different intentions, one of them if for manage the servers and only must be allowed for some specific publics IP that I know and all the others object-groups should be allowed from any IP.

acomiskey advise me that I could disable "sysopt connection permit-vpn" and create an access-list for the VPN traffic but it would restrict all the other object-groups and it isn't possible for me.

Thanks and regards,

Fernando.

4 Replies 4

ggilbert
Cisco Employee
Cisco Employee

Fernando,

For the VPN clients to be connected only from specific IP address, its convoluted with the "no sysopt connection permit-vpn" command since you need to add access-list to permit all the clients and deny only some.

But I would suggest that you use the user authentication method to assign them to a group and create a vpn-filter to allow access to specific internal networks.

Hope this works out for you.

Rate this post, if it does.

Cheers

Gilbert

Hi Gilbert,

First of all, thanks for your reply.

But I don't know if you didn't understand my question since I think that it doesn't cover my needs. I will try to explain better:

I have different VPN groups any of them with different clients (users) and only for one of the groups I would like to restrict the access to only some public IPs (two or three) so that in order that an authorized user was able to mount a VPN tunnel using that group the user has to have a valid account and have to be connected from a specific IP like a double security method.

Regards, Fernando.

Fernando,

Restriction on a public IP address - NO.

Restriction on a specific user to a specific tunnel-group - YEs.

Use the group-lock feature on the group-policy. :)

BTW, thank you very much for explaining. Much appreciated.

Cheers

Gilbert

Hi Gilbert,

Then, if I understood you well, it is not possible to do what I want.

That are bad news for me, so I will have to look for another way of doing this more secure.

Kind Regards, Fernando.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: