[ra vpn] restrict allowed ip add for tunnel initiators

Carlos A. Silva · ‎08-24-2010

Hi,

I've seen several people ask this here, but no definitive answers. I would like to be able to allow only certain IP Adds to initiate a remote access VPN to a certain group.

For example:

IP-Prefix A is allowed to initiate (and connect) to tunnel-group A (but not to tunnel-group B)

IP-Prefix B is allowed to initiate (and connect) to tunnel-group B (but not to tunnel-group A)

Again, the issue here is not what the user is allowed to do once connected, but what IP Adds are allowed to bring up the ra tunnel if authenticated.

Is this possible? If so, can you provide sample config?

Thanks in advance!

c.

gurdsing · ‎09-01-2010

Hi,

This does not seem to be possible at the moment. Please contact you cisco accounts team or reseller to file a feature request.

Thanks,

Guru.

Federico Coto Fajardo · ‎09-01-2010

Hi,

If you have an ACS server then the ACS can restrict which public IPs are allowed to initiate a RA VPN IPsec to the ASA/router based on profiles.

If you don't have an ACS the only option is on the ASA to create an ACL denying UDP 500 to the outside IP (with the control-plane option) so the ASA will check traffic to itself. But this is not what you're looking for because it will restrict which IPs can initiate RA VPN for the entire ASA (cannot discriminate based on profiles).

Federico.