Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Allowing VPN clients from specific networks

I want to restrict VPN connections to come only from certain networks. So if the client is not sitting on a A.B.C.D ip address and tries to VPN in, he gets disconnected. I guess it's an IP checking feature I'm trying to implement. How do I go about doing that? This is my config:

ciscoasa# sh run

: Saved


ASA Version 8.0(4)


hostname ciscoasa

enable password xxx

passwd xxx



interface Ethernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address outside_ip


interface Ethernet0/1

speed 100

duplex full

nameif inside

security-level 100

ip address


interface Ethernet0/2


no nameif

no security-level

no ip address


interface Ethernet0/3


no nameif

no security-level

no ip address


interface Management0/0

nameif management

security-level 100

ip address



boot config disk0:/exit

ftp mode passive

clock timezone mst -7

clock summer-time mdt recurring

access-list split_tunnel_list standard permit

access-list inside_nat0_outbound extended permit ip

access-list inbound_on_outside extended permit icmp any any

access-list inbound_on_outside extended permit tcp any host outside_ip eq 5555

pager lines 24

logging enable

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

ip local pool vpnuserspool mask

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp deny any outside

asdm image disk0:/asdm-613.bin

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1

static (inside,outside) tcp outside_ip 5555 5555 netmask

access-group inbound_on_outside in interface outside

route outside outside_ip 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http inside

http inside

http management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set firstset esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set transform-set firstset

crypto dynamic-map dyn1 1 set security-association lifetime seconds 28800

crypto dynamic-map dyn1 1 set security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set reverse-route

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 43200

crypto isakmp nat-traversal 3600

telnet timeout 5

ssh inside

ssh inside

ssh timeout 60

console timeout 0

New Member

Re: Allowing VPN clients from specific networks

management-access inside

dhcpd address inside

dhcpd dns interface inside

dhcpd enable inside


dhcpd address management

dhcpd enable management


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ntp server source outside

group-policy vpnuserspolicy internal

group-policy vpnuserspolicy attributes

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list

address-pools value vpnuserspool

username john.doe password xxxencrypted

username xxx

vpn-group-policy vpnuserspolicy

username admin password xxx encrypted privilege 15

username admin attributes

vpn-group-policy vpnuserspolicy

tunnel-group vpnusersgroup type remote-access

tunnel-group vpnusersgroup general-attributes

default-group-policy vpnuserspolicy

tunnel-group vpnusersgroup ipsec-attributes

pre-shared-key *


class-map inspection_default

match default-inspection-traffic



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp


service-policy global_policy global

prompt hostname context


: end