Limit VPN Client to ASA from single site

d.hodgson · ‎08-12-2010

Hi folks,

so I've got a customer (custA) who wants to allow users of a customer of theirs (custB) to connect to custA's network via an ASA using Cisco VPN clients. I'm trying to secure it as much as possible. Can I somehow limit VPN Client connections to the ASA of custA from custB using the public IP of custB site?

The ASA has other LAN 2 LAN VPN sites that connect to it.

A LAN 2 LAN is not the preferred option here, specified by custA.

I have split tunneling to limit what IP's custB will connect to.

Via an ACL I have defined what ports and IP they connect to.

RSA will be used but in a couple of months time.

XAUTH is configured and using local usernames and passwords.

The public IP of custB is 2.2.2.2 (example for reference)

thanks

Dave

Marcin Latosiewicz · ‎08-12-2010

Dave,

ASA provides following option under group-policy:

vpn-simultaneous-logins - Enter maximum number of simultaneous logins

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1631556

Also from radius.

Is that something you were considering?

Marcin

d.hodgson · ‎08-12-2010

Hi Marcin,

thanks for your suggestions but that's not really what I'm after.

I'd like to deploy for a remote access VPN client something similar to VPN Peers for LAN 2 LAN's, is that possible using the Remote VPN clients site public IP address?

thanks

Dave

Marcin Latosiewicz · ‎08-12-2010

Dave,

I don't believe there is an option like this since you land on dynamic crypto map most likely.

You would need to make a group-to-IP correlation at some point...

Sorry nothing rings a bell.

If it's only their headquarters that you would like to allow why not use L2L tunnel rather then remote access?

Seems like it's what you want anyway ;-)

Marcin

d.hodgson · ‎08-19-2010

No worries. I thought it was worth asking the question.

Posted from my mobile device.