Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 5520 v7.2 - Restrict Remote Access VPN to a specific object-group

Hi to all,

I would like to know how I can restrict the users (by source IP) that can access to a specific object-group.

In my case I have different groups to establish a VPN with the internal networks for different intentions, one of them if for manage the servers and only must be allowed for some specific publics IP that I know and all the others object-groups should be allowed from any IP.

acomiskey advise me that I could disable "sysopt connection permit-vpn" and create an access-list for the VPN traffic but it would restrict all the other object-groups and it isn't possible for me.

Thanks and regards,

Fernando.

4 REPLIES
Cisco Employee

Re: ASA 5520 v7.2 - Restrict Remote Access VPN to a specific obj

Fernando,

For the VPN clients to be connected only from specific IP address, its convoluted with the "no sysopt connection permit-vpn" command since you need to add access-list to permit all the clients and deny only some.

But I would suggest that you use the user authentication method to assign them to a group and create a vpn-filter to allow access to specific internal networks.

Hope this works out for you.

Rate this post, if it does.

Cheers

Gilbert

New Member

Re: ASA 5520 v7.2 - Restrict Remote Access VPN to a specific obj

Hi Gilbert,

First of all, thanks for your reply.

But I don't know if you didn't understand my question since I think that it doesn't cover my needs. I will try to explain better:

I have different VPN groups any of them with different clients (users) and only for one of the groups I would like to restrict the access to only some public IPs (two or three) so that in order that an authorized user was able to mount a VPN tunnel using that group the user has to have a valid account and have to be connected from a specific IP like a double security method.

Regards, Fernando.

Cisco Employee

Re: ASA 5520 v7.2 - Restrict Remote Access VPN to a specific obj

Fernando,

Restriction on a public IP address - NO.

Restriction on a specific user to a specific tunnel-group - YEs.

Use the group-lock feature on the group-policy. :)

BTW, thank you very much for explaining. Much appreciated.

Cheers

Gilbert

New Member

Re: ASA 5520 v7.2 - Restrict Remote Access VPN to a specific obj

Hi Gilbert,

Then, if I understood you well, it is not possible to do what I want.

That are bad news for me, so I will have to look for another way of doing this more secure.

Kind Regards, Fernando.

231
Views
5
Helpful
4
Replies
CreatePlease login to create content