cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4403
Views
15
Helpful
5
Replies

Public ip restriction for client based VPN

uthayaman
Level 1
Level 1

I have ASA 5520 firewall in my enterprise.Remote access VPN is configured in firewall for users.Now i want create a new vpn group.This new group vpn users should connect only from the allowed public ip.

Is it possible to achieve it in the ASA without affecting the exisiting user vpn access.

5 Replies 5

Hi,

The ASA will respond to all ISAKMP requests from any public IP when configured for IPsec.

If you create an ACL apply it with ''control-plane'' and restrict which IPs can connect via VPN to the ASA is an option, but that will affect all VPN connections.

To apply a restriction of the source IP for VPN for a certain VPN group, the only option that I see is using an ACS server that applies this restriction to the VPN group.

Federico.

Thx for the suggestion.Applying acl on ctrl plane will affect my user VPN too.

I dont ACS server.I want to achieve it with ASA.

I don't think there's a way to do this on the ASA itsefl unfortunately.

The only way to restrict the ASA from responding to IPsec (on the ASA itself) is by applying an ACL with the control-plane keyword.

But the problem is that it will affect all VPN connections.

Federico.

There is best solutions:

- If you use AAA based on LDAP, then use:

nat-assigned-to-public-ip {interface}

- If you use AAA based on RADIUS, then use:

NAS-Port-ID (RADIUS attribute 87)

NAS-Port-ID = Public IP in AnyConnect VPN.

Details:

https://netconfigure.net/index.php/ru/forum/12-konfiguratsiya-setevogo-oborudovaniya/199-cisco-anyconnect-source-ip-restrict-ogranichenie-dostupa-po-vneshnemu-ip-klienta

Is that Possible to do for SSL Client VPN  ???

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: