Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client Limited to specific source addresses

We would like to limit which IP (public) addresses can establish an IPSec tunnel to our network.

One reason (to help clarify) - if a laptop is stolen and the password is discovered - you still must have a certain IP address or subnet for the tunnel to be established.

Thanks in advance for your help.

3 REPLIES
Gold

Re: VPN Client Limited to specific source addresses

have all the mobile user got a static ip when they are out of office?

mobile users often use modem dialup and then connect to the pix via the software client. if that's the case, then you can't really restrict the source address since you don't know what ip address is going to assign to the laptop.

New Member

Re: VPN Client Limited to specific source addresses

We are restrictive in allowing VPN - so the user basically has to tell us what the IP address is. We don't have alot of mobile users - but we do have vendors who VPN in. Those VPN's for vendors is where we get very restrictive...or would like to be (on their source address).

FYI - we are doing this with a ChkPt firewall - but are trying to migrate from it.

Thanks for your time.

R

New Member

Re: VPN Client Limited to specific source addresses

In order to improve your security you could install Radius or Tacacs authentication services in order to give each VPN user an ID and password. This way, no matter if laptop is stolen, if user don´t have correct ID and password, won´t be able to open the tunnel.

Check this for more information:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_user_guide_chapter09186a0080106f8b.html

97
Views
0
Helpful
3
Replies
CreatePlease login to create content