[ra vpn] restrict allowed ip add for tunnel initiators

Unanswered Question
Aug 24th, 2010


I've seen several people ask this here, but no definitive answers. I would like to be able to allow only certain IP Adds to initiate a remote access VPN to a certain group.

For example:

IP-Prefix A is allowed to initiate (and connect) to tunnel-group A (but not to tunnel-group B)

IP-Prefix B is allowed to initiate (and connect) to tunnel-group B (but not to tunnel-group A)

Again, the issue here is not what the user is allowed to do once connected, but what IP Adds are allowed to bring up the ra tunnel if authenticated.

Is this possible? If so, can you provide sample config?

Thanks in advance!


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gurdsing Wed, 09/01/2010 - 14:36


This does not seem to be possible at the moment. Please contact you cisco accounts team or reseller to file a feature request.



Federico Coto F... Wed, 09/01/2010 - 16:13


If you have an ACS server then the ACS can restrict which public IPs are allowed to initiate a RA VPN IPsec to the ASA/router based on profiles.

If you don't have an ACS the only option is on the ASA to create an ACL denying UDP 500 to the outside IP (with the control-plane option) so the ASA will check traffic to itself. But this is not what you're looking for because it will restrict which IPs can initiate RA VPN for the entire ASA (cannot discriminate based on profiles).



This Discussion