Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

[ra vpn] restrict allowed ip add for tunnel initiators

Hi,

I've seen several people ask this here, but no definitive answers. I would like to be able to allow only certain IP Adds to initiate a remote access VPN to a certain group.

For example:

IP-Prefix A is allowed to initiate (and connect) to tunnel-group A (but not to tunnel-group B)

IP-Prefix B is allowed to initiate (and connect) to tunnel-group B (but not to tunnel-group A)

Again, the issue here is not what the user is allowed to do once connected, but what IP Adds are allowed to bring up the ra tunnel if authenticated.

Is this possible? If so, can you provide sample config?

Thanks in advance!

c.

2 REPLIES
New Member

Re: [ra vpn] restrict allowed ip add for tunnel initiators

Hi,

This does not seem to be possible at the moment. Please contact you cisco accounts team or reseller to file a feature request.

Thanks,

Guru.

Re: [ra vpn] restrict allowed ip add for tunnel initiators

Hi,

If you have an ACS server then the ACS can restrict which public IPs are allowed to initiate a RA VPN IPsec to the ASA/router based on profiles.

If you don't have an ACS the only option is on the ASA to create an ACL denying UDP 500 to the outside IP (with the control-plane option) so the ASA will check traffic to itself. But this is not what you're looking for because it will restrict which IPs can initiate RA VPN for the entire ASA (cannot discriminate based on profiles).


Federico.

203
Views
0
Helpful
2
Replies
CreatePlease to create content