Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
0
Helpful
3
Replies

Restrict access to VPN Tunnel Group based on Source IP

craigstrait
Level 1
Level 1

‎01-23-2007 09:30 PM

I have a semi-trusted remote network, say 10.10.10.10. When users are on that network I want them to have the ability to connect using a specific Tunnel Group profile, say 'GroupONE.'

When these users travel to a different network, I don't want them to be able to VPN back using the 'GroupONE' profile.

Thoughts on how I'd restrict that?

ASA-5540

Thanks so much!

Craig

Labels:
0 Helpful
3 Replies 3

b.julin
Level 3
Level 3

‎01-24-2007 08:04 AM

"tunnel-group-map XX enable peer-ip/ike-id"?

0 Helpful

craigstrait
Level 1
Level 1
In response to b.julin

‎01-26-2007 10:32 AM

I'm not terribly familiar with the rules surrounding certificate matching. I've spent the last two days trying to read everything I can find on that subject and have found the documentation to be quite limited. Can you give me a better idea of how that may work? Is the client's source IP address contained in the certificate?

0 Helpful

b.julin
Level 3
Level 3
In response to craigstrait

‎01-30-2007 06:20 AM

I haven't used these options but my best guess would be that "ike-id" would be something that the client pulls from the certificate and then sends during Phase 1 negotiation where the ASA can pick it out and use it, whereas "peer-ip" would be taken by the ASA from the source address of the incoming ISAKMP packets.

However many clients may be configurable to send their IP as the phase 1 ike-id instead of certificate contents.

0 Helpful
Customers Also Viewed These Support Documents