Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Limit VPN Client to ASA from single site

Hi folks,

so I've got a customer (custA) who wants to allow users of a customer of theirs (custB) to connect to custA's network via an ASA using Cisco VPN clients. I'm trying to secure it as much as possible. Can I somehow limit VPN Client connections to the ASA of custA from custB using the public IP of custB site?

The ASA has other LAN 2 LAN VPN sites that connect to it.

A LAN 2 LAN is not the preferred option here, specified by custA.

I have split tunneling to limit what IP's custB will connect to.

Via an ACL I have defined what ports and IP they connect to.

RSA will be used but in a couple of months time.

XAUTH is configured and using local usernames and passwords.

The public IP of custB is 2.2.2.2 (example for reference)

thanks

Dave

4 REPLIES
Cisco Employee

Re: Limit VPN Client to ASA from single site

Dave,

ASA provides following option under group-policy:

  vpn-simultaneous-logins     -    Enter maximum number of simultaneous logins

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1631556

Also from radius.

Is that something you were considering?

Marcin

New Member

Re: Limit VPN Client to ASA from single site

Hi Marcin,

thanks for your suggestions but that's not really what I'm after.

I'd like to deploy for a remote access VPN client something similar to VPN Peers for LAN 2 LAN's, is that possible using the Remote VPN clients site public IP address?

thanks

Dave

Cisco Employee

Re: Limit VPN Client to ASA from single site

Dave,

I don't believe there is an option like this since you land on dynamic crypto map most likely.

You would need to make a group-to-IP correlation at some point...

Sorry nothing rings a bell.

If it's only their headquarters that you would like to allow why not use L2L tunnel rather then remote access?

Seems like it's what you want anyway ;-)

Marcin

New Member

Re: Limit VPN Client to ASA from single site

No worries. I thought it was worth asking the question.

Posted from my mobile device.

398
Views
0
Helpful
4
Replies