First off, we are "New" to the Cisco Firewall/VPN appliance. Temporarily we are using an ASA 5510 VPN applianvce to allow limited users access to another state agencies Investigation WEB application. (We are in the process of purcnasing a pure VPN appliance.) We have it configured and are able to access the WEB app. However, we want to be able to limit access to the VPN to specific users/PCs. We have individual User accounts created, with passwords. As of yet, we don't have AD, we are a Netware 6.5.8 shop with eDirectory 8.8.5. Is it possible to limit VPN access to Specific IP addresses?? All our PC have static IP addresses.
I've looked around the ASDM Interface and don't readily see any where to set this up.
Let me try to make it clear. We have 13 PCs in our WAN network (1 ea at 12 District offices) that need to access to the VPN appliance. All other PCs on our WAN network need to be blocked from accessing the VPN appliance. (NOTE: We need to ensure no PC outside of our WAN will be able to access this VPN appliance either.) The VPN appliance will give those 13 PCs access to another State Agencies WEB site in their LAN (access is STRICTLY limited). We have a router to their environment at our HQ Office and have placed the ASA 5510 between our WAN and that router. We already have an ACL on our Outbound Router to the cloud that blocks the IP of those 13 PCs from being able to see the outside. But we need the 13 PCs to "talk" to our WSUS and ePO servers (which are located in our HQ Office). Here is what I would like to happen:
;this is the IP range of the other agencies LAN after our VPN appliance access-list split standard permit XXX.0.0.0 255.0.0.0
;This an explicit permit for my PC. What I want to move to is a "group permit" (i.e. the "Management-PCs" object-group) access-list split standard permit host XXX.XXX.XX.236 ;this is the IP range of the other agencies LAN after our VPN appliance access-list MBC-Private_nat0_outbound extended permit ip XXX.XX.XXX.0 255.255.255.0 any access-list MBC-Private_access_in extended deny ip any any access-list MBC-Private_access_in extended permit ip object-group Management-PCs any access-list MBC-Private_access_in extended permit tcp host XXX.XXX.XX.236 any object-group DM_INLINE_TCP_1 access-list MBC-Private_access_in extended deny ip XXX.XXX.24.0 255.255.255.0 any
This VPN Appliance is ONLY for use by PC inside our WAN. Its purpose is to gain access to an Application located at another State Agency (Outside of our WAN). I know normally you don't restrict IP access to the VPN services since it is usually used to gain access to your WAN from the ouside. Having said that, we would like to limit access to the IPs we specify and block all other IPs in our WAN from the VPN services.
How else can you do this if you don't set up a deny????
Sorry, I assume that your user uses VPN Client to access the internal network, right?
User 1 for example is assigned ip address of XXX.XXX.XXX.130 when they are connected via VPN, and you only want user 1 to access XXX.XXX.96.138 but nothing else? And currently you are using local database for user authentication?
Is the above statement correct? If it is, then you can configure the following.
access-list user1-acl permit ip host XXX.XXX.XXX.130 host XXX.XXX.96.138
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :