Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1062
Views
0
Helpful
2
Replies

ASA-VPN: How do you restrict the remote access network - who can establish VPN and who not?

Manuel.Picco
Level 1
Level 1

‎09-07-2010 12:11 AM - edited ‎02-21-2020 04:50 PM

Hello,

in our VPN configuration (ASA5520, Anyconnect VPN Client), we have different VPN User Groups. These Group Policies are retrieved from an LDAP Server.

We'd like to restrict the acess like this:

A Group "Home User" might establish a VPN from anywhere on the Internet

A Group "restricted 3rd party" should only be allowed to establish a VPN from their specific public Source IP Address on the Internet (the public IP Address of this 3rd party Company). When these Users try to connect from any other IP Address on the Internet(Home, hotel, etc), VPN Access should not work!

On our old solution, we were able to limit the remote access network, per user group,  to some source IP's.

How can you do that in ASA?

The IP Filters related to group policies in here seem only to be filters concerning the VPN Address (after the VPN is established: where can this user group connect to). But I did not find filters/access lists, where yoiu can define/restrict public access networks for some groups.

Or is it possible to do that by Dynamic Access Policies? How?

Thanks,

Labels:
0 Helpful
2 Replies 2

DEAN WETHERALD
Level 1
Level 1

‎05-08-2012 05:19 AM

Hello - Did you find a resolution to this issue?

Thanks,

Dean

0 Helpful

Flavio Vettori
Level 1
Level 1

‎02-10-2017 01:48 AM

Look for how to disable "sysopt connection permit-vpn".

0 Helpful
Customers Also Viewed These Support Documents