Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Public ip restriction for client based VPN

I have ASA 5520 firewall in my enterprise.Remote access VPN is configured in firewall for users.Now i want create a new vpn group.This new group vpn users should connect only from the allowed public ip.

Is it possible to achieve it in the ASA without affecting the exisiting user vpn access.

5 REPLIES

Re: Public ip restriction for client based VPN

Hi,

The ASA will respond to all ISAKMP requests from any public IP when configured for IPsec.

If you create an ACL apply it with ''control-plane'' and restrict which IPs can connect via VPN to the ASA is an option, but that will affect all VPN connections.

To apply a restriction of the source IP for VPN for a certain VPN group, the only option that I see is using an ACS server that applies this restriction to the VPN group.

Federico.

New Member

Re: Public ip restriction for client based VPN

Thx for the suggestion.Applying acl on ctrl plane will affect my user VPN too.

I dont ACS server.I want to achieve it with ASA.

Re: Public ip restriction for client based VPN

I don't think there's a way to do this on the ASA itsefl unfortunately.

The only way to restrict the ASA from responding to IPsec (on the ASA itself) is by applying an ACL with the control-plane keyword.

But the problem is that it will affect all VPN connections.

Federico.

New Member

There is one best solution

There is best solutions:

- If you use AAA based on LDAP, then use:

nat-assigned-to-public-ip {interface}

- If you use AAA based on RADIUS, then use:

NAS-Port-ID (RADIUS attribute 87)

NAS-Port-ID = Public IP in AnyConnect VPN.

Details:

https://netconfigure.net/index.php/ru/forum/12-konfiguratsiya-setevogo-oborudovaniya/199-cisco-anyconnect-source-ip-restrict-ogranichenie-dostupa-po-vneshnemu-ip-klienta

New Member

Is that Possible to do for

Is that Possible to do for SSL Client VPN  ???

1953
Views
15
Helpful
5
Replies
CreatePlease login to create content