Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

restrict remote ip addrss to authenticate/access vpn

Hi,

How to restrict remote IP address allowed to authenticate/access to Cisco ASA Firewall IPSEC VPN?


For example, I only want allow x.y.12.0-254 to.

I tried allowing the above IP Address range and deny everything else to the following ports, but it doesn't work. All IP Address still able to authenticate/access Cisco ASA Firewall IPSEC VPN.
- AH
- ESP
- TCP10000
- UDP4500
- UDP500 (ISAKMP)

Please give me advice how to restrict by not putting another box in front of the Cisco ASA Firewall.

TIA

5 REPLIES
Cisco Employee

Re: restrict remote ip addrss to authenticate/access vpn

hi bert

if i understand you right you want to allow only a particular subnet to have management access to your firewall through ipsec vpn??? am i right

if that is so just allow only those ip's to access the firewall using telnet/ssh or http

ssh 10.0.1.0 255.255.255.0 inside

telnet10.1.1.0 255.255.255.0 inside

http 10.1.1.0 255.255.255.0 inside

instead of

ssh 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 inside

Cisco Employee

Re: restrict remote ip addrss to authenticate/access vpn

Hi Bert,

Could you please paste the config on the ASA ? Do you want to restrict VPN access to certain IP addresses ?

Thanks,

Namit

New Member

Re: restrict remote ip addrss to authenticate/access vpn

Hi,

My RA and S2S VPN is working well. User connected and able to access the host once connected to VPN.

What I want is to restrict remote (client) IP Address (public) access to VPN Box (before they get connected thru VPN). Its like putting an ACL allowing only a certain internet IP Address to authenticate/access the VPN Box. VPN Box to drop packet from all IP Address (allow only x.y.12.0/24) trying to connect to port/protocol AH, ESP, TCP10000, UDP500, UDP4500.

Here is the config, I didn't include the VPN config as its working well as mentioned above.

---------------

!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address a.b.121.144 255.255.255.248
!
object-group network ALLOWED
network-object x.y.12. 255.255.255.0
!
access-list outside_access_in extended permit ah object-group ALLOWED host a.b.121.144
access-list outside_access_in extended permit esp object-group ALLOWED host a.b.121.144
access-list outside_access_in extended permit tcp object-group ALLOWED host a.b.121.144 object-group TCP-10000
access-list outside_access_in extended permit udp object-group ALLOWED host a.b.121.144 object-group UDP-VPN-Services
access-list outside_access_in extended deny ah any host a.b.121.144
access-list outside_access_in extended deny esp any host a.b.121.144
access-list outside_access_in extended deny tcp any host a.b.121.144 object-group TCP-10000
access-list outside_access_in extended deny udp any host a.b.121.144 object-group UDP-VPN-Services

------------------------------------------------

Bert

Cisco Employee

Re: restrict remote ip addrss to authenticate/access vpn

now i am again confused

do you want to restrict access to the box after they vpn in (that is ssh telnet or http) or do you want t o stop them from connecting via vpn in the first place

if it is the first one i have already given you the solution

if it is the second one

wht access-list you have is correct, the idea being permit the one's that need to be allowed and deny rest all

but then it depends where you apply i assume you have applied it on the outside interface, this is incorrent apply it on the control plane also remove the sysopt command for vpn if you have any

access-group outside_access_in interface outside control-plane

this is avaiable only in codes beyond 8.04 or 05

also remove this command

sysopt connection permit-vpn

no sysopt connection permit-vpn

New Member

Re: restrict remote ip addrss to authenticate/access vpn

Hi Jathaval,

I want to stop them from connecting via VPN.

My access-list doesn't work. Everybody are still able to connect via VPN. Interesting though, if I put a router in front and put that ACL in the router, it works. But I don't want to invest on that, I want the VPN box to be able to restrict the connection.

The reason I only put VPN ports (not ANY) is because internet need to access some services behind the firewall (e.g. Web, MAIL).

I'm using ASA5510 with OS version 8.2(1).

Thanks.

Bert

1709
Views
0
Helpful
5
Replies
CreatePlease login to create content