Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Forcing authentication only on a predefined interface

Hi,

Is there a way to set up a tunnel IPSEC for a certain group only on a predefined interface? And how?

The isamkp must be enabled on all interface, because I have tunnel on all interface..

Thank you.

Massimiliano.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Forcing authentication only on a predefined interface

Well you can remove the systop connection permit-vpn command and allow VPNs through ACL only. This command bypasses ACL check for firewall-terminated crypto traffic; its enabled by default. Disable this, and allow each SPECIFIC IP access to specific crypto interface. Or Deny some and allow others (this would specially be true on the outside).

ASA 8.1 added support for netflow but only on the higher end models (5580-XX). Maybe we see it in the future on other models as well.

Regards

Farrukh

14 REPLIES

Re: Forcing authentication only on a predefined interface

For digital certificate based VPNs you can do it like this:

http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftdnacl.html

Regards

Farrukh

Re: Forcing authentication only on a predefined interface

Hi Farrukh.

Thank for your reply.

I've no VPN based on digital certificate...how can i obtain the same result?

Thank you.

Massimiliano.

Re: Forcing authentication only on a predefined interface

Two questions, which platform and the VPN type (L2L,RA IPSEC, etc?)

Regards

Farrukh

Re: Forcing authentication only on a predefined interface

Hi,

The platform is a PIX 525 with OS 7.2

The type of VPN is IPSEC, client-to-gateway....the software is Cisco VPN Client for Linux.

Thank you.

Massimiliano.

Re: Forcing authentication only on a predefined interface

For the PIX you don't need to even control this! The host can only 'hit' the crypto map to which it is 'coming from'.

e.g Source IP for VPN client is 4.4.4.4. If this s reachable via the Outside interface (via default route), this host can ONLY access the 'outside' crypto map' It wont be able to access any crypto map applied on other interfaces like DMZ1 , WAN etc.

Regards

Farrukh

Re: Forcing authentication only on a predefined interface

Hi Farrukh,

Another way to say what I need.

Say we have a firewall with two interfaces:outside and inside. I've credential (VPN Group and username and password)...we have isakmp enabled on outside and inside...i want that the user using the credential can access in VPN only on one interface (say inside); i don't want control the IP address..

Thank you.

Massimiliano.

P.S.: Another question...PIX or ASA support NetFlow?

Re: Forcing authentication only on a predefined interface

Well you can remove the systop connection permit-vpn command and allow VPNs through ACL only. This command bypasses ACL check for firewall-terminated crypto traffic; its enabled by default. Disable this, and allow each SPECIFIC IP access to specific crypto interface. Or Deny some and allow others (this would specially be true on the outside).

ASA 8.1 added support for netflow but only on the higher end models (5580-XX). Maybe we see it in the future on other models as well.

Regards

Farrukh

Re: Forcing authentication only on a predefined interface

Hi Farrukh.

Can I made the distinction on which interface to use based on on group and username and password?

Massimiliano.

P.S.: Rating for your response regarding the Netflow and another question:)) How can I collect data (like Netflow) on a PIX/ASA?

Re: Forcing authentication only on a predefined interface

Thank you for the rating :).

As I said you need an ASA 5580 for that:

http://www.cisco.com/en/US/docs/security/asa/asa81/netflow/netflow.html

No I don't think you can make it based on groups or usernames. You have to use IPs.

Regards

Farrukh

Re: Forcing authentication only on a predefined interface

Thanks.

Massimiliano.

Re: Forcing authentication only on a predefined interface

This is a better link, ignore that one please:

http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/monitor.html#wp1099818

Regards

Farrukh

Re: Forcing authentication only on a predefined interface

by the way if u use ACS for AAA authentication

there is otion called tunnel-group-lock

u can lock a user or group to a spesific vpn tunnel-group on the PIX/ASA

this will be group based on tunnel-group vpn

if helpful Rate

Re: Forcing authentication only on a predefined interface

How does that achieve the requirement? I'm sorry I must be missing something here.

Regards

Farrukh

Re: Forcing authentication only on a predefined interface

Hi,

But I want lock a group to a particular interface...

Massimiliano.

179
Views
12
Helpful
14
Replies
CreatePlease login to create content