Public ip restriction for client based VPN

Unanswered Question
Jun 16th, 2010
User Badges:

I have ASA 5520 firewall in my enterprise.Remote access VPN is configured in firewall for users.Now i want create a new vpn group.This new group vpn users should connect only from the allowed public ip.

Is it possible to achieve it in the ASA without affecting the exisiting user vpn access.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Federico Coto F... Wed, 06/16/2010 - 06:58
User Badges:
  • Green, 3000 points or more


The ASA will respond to all ISAKMP requests from any public IP when configured for IPsec.

If you create an ACL apply it with ''control-plane'' and restrict which IPs can connect via VPN to the ASA is an option, but that will affect all VPN connections.

To apply a restriction of the source IP for VPN for a certain VPN group, the only option that I see is using an ACS server that applies this restriction to the VPN group.


uthayaman Wed, 06/16/2010 - 08:36
User Badges:

Thx for the suggestion.Applying acl on ctrl plane will affect my user VPN too.

I dont ACS server.I want to achieve it with ASA.

Federico Coto F... Wed, 06/16/2010 - 11:07
User Badges:
  • Green, 3000 points or more

I don't think there's a way to do this on the ASA itsefl unfortunately.

The only way to restrict the ASA from responding to IPsec (on the ASA itself) is by applying an ACL with the control-plane keyword.

But the problem is that it will affect all VPN connections.



This Discussion

Related Content