ASA 5500 IPSEC-ra VPN Question

it_email · ‎09-19-2007

We are a small company running an ASA 5505 and up until today, we've had about 10 mobile VPN users connecting from wherever they can get wireless access. Today we setup a seperate group tunnel for a development team that will also need access to the VPN. There are only a few with the company that need access and they do not want to setup a lan2lan vpn. We created IPSEC-ra accounts for these users but now we want to make sure they only access our VPN from their location which has a static IP. No programmers should be accessing the network from home or any other remote location. Is it possible to setup a configuration where the mobile users can connect from any source IP however the developers are teathered to one?

mfreijser · ‎09-20-2007

I don't think that's possible. The intention of a Remote Access VPN is that it can be initiated from virtually anywhere in the world without having to configure a group or crypto map for every possible ip-address.

You can restrict the times when the development team may connect to the ASA, but that doesn't prohibit them from making a connection when their not present at their own location.

I think it's better to place a VPN-device on the location of the development team so that you can be sure that they won't connect from a different location.

Please rate if the post is usefull!

Regards,

Michael