Public ip restriction for client based VPN

Unanswered Question
Jun 16th, 2010

I have ASA 5520 firewall in my enterprise.Remote access VPN is configured in firewall for users.Now i want create a new vpn group.This new group vpn users should connect only from the allowed public ip.

Is it possible to achieve it in the ASA without affecting the exisiting user vpn access.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Federico Coto F... Wed, 06/16/2010 - 06:58


The ASA will respond to all ISAKMP requests from any public IP when configured for IPsec.

If you create an ACL apply it with ''control-plane'' and restrict which IPs can connect via VPN to the ASA is an option, but that will affect all VPN connections.

To apply a restriction of the source IP for VPN for a certain VPN group, the only option that I see is using an ACS server that applies this restriction to the VPN group.


uthayaman Wed, 06/16/2010 - 08:36

Thx for the suggestion.Applying acl on ctrl plane will affect my user VPN too.

I dont ACS server.I want to achieve it with ASA.

Federico Coto F... Wed, 06/16/2010 - 11:07

I don't think there's a way to do this on the ASA itsefl unfortunately.

The only way to restrict the ASA from responding to IPsec (on the ASA itself) is by applying an ACL with the control-plane keyword.

But the problem is that it will affect all VPN connections.



This Discussion

Related Content