Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Best way to allow a vpn profile only from one address

Hi,

This is a wierd request as it flies in the face of the purpose of vpn clients but I ahve my reasons:

We don't like Split-T but we have a userbase on a customer site that require it. I have made a special profile for them but they tend to hand out the .pcf to others as well as using it from home, etc. So I want to tie this group policy to a single source address.

Termination device is a 5520 with 8.x

Can it be done in the crypto definition or do I need to use an ACL entry on the outside interface?

Many thanks in advance,

Mike

2 REPLIES

Re: Best way to allow a vpn profile only from one address

Hi Mike,

Have a look at this complete link, implementing digital certificates for controlling your VPN ra users authorized sources.. you can also have ASA as local CA server as suppose to using third party.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html#wp1002608

Regards

New Member

Re: Best way to allow a vpn profile only from one address

Thanks jorgemcse,

A bit low on time to read that whole doco right now so I won't rate your post. But thanks anyway and it will be good to investigate using the ASA as a local CA server on top of my current issue.

Regards,

Mike

153
Views
0
Helpful
2
Replies