05-30-2007 12:23 AM - edited 02-21-2020 01:32 AM
Hi to all,
I would like to know how I can restrict the users (by source IP) that can access to a specific object-group.
In my case I have different groups to establish a VPN with the internal networks for different intentions, one of them if for manage the servers and only must be allowed for some specific publics IP that I know and all the others object-groups should be allowed from any IP.
acomiskey advise me that I could disable "sysopt connection permit-vpn" and create an access-list for the VPN traffic but it would restrict all the other object-groups and it isn't possible for me.
Thanks and regards,
Fernando.
05-30-2007 07:13 AM
Fernando,
For the VPN clients to be connected only from specific IP address, its convoluted with the "no sysopt connection permit-vpn" command since you need to add access-list to permit all the clients and deny only some.
But I would suggest that you use the user authentication method to assign them to a group and create a vpn-filter to allow access to specific internal networks.
Hope this works out for you.
Rate this post, if it does.
Cheers
Gilbert
05-30-2007 10:01 AM
Hi Gilbert,
First of all, thanks for your reply.
But I don't know if you didn't understand my question since I think that it doesn't cover my needs. I will try to explain better:
I have different VPN groups any of them with different clients (users) and only for one of the groups I would like to restrict the access to only some public IPs (two or three) so that in order that an authorized user was able to mount a VPN tunnel using that group the user has to have a valid account and have to be connected from a specific IP like a double security method.
Regards, Fernando.
05-30-2007 10:17 AM
Fernando,
Restriction on a public IP address - NO.
Restriction on a specific user to a specific tunnel-group - YEs.
Use the group-lock feature on the group-policy. :)
BTW, thank you very much for explaining. Much appreciated.
Cheers
Gilbert
05-30-2007 10:24 AM
Hi Gilbert,
Then, if I understood you well, it is not possible to do what I want.
That are bad news for me, so I will have to look for another way of doing this more secure.
Kind Regards, Fernando.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide