Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restrict RemoteAccess VPN to ASA 5520 v 7.2

Hi to all,

I would like to know how I can restrict the hosts that can establish a Remote Access VPN with my ASA.

For exaple I would like to allow some publics IP and deny all the others.

I have been looking in the manuals and the web but I haven't be able to find a solution.

Thanks and regards,

Fernando.

3 REPLIES
Green

Re: Restrict RemoteAccess VPN to ASA 5520 v 7.2

Fernando,

If you want to restrict who can establish a vpn, look at the "sysopt connection permit-vpn" command. Disabling this will allow you to restrict access to particular addresses with interface access-lists.

If you are interested in filtering traffic after the session has been established, then you are looking for this...

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

New Member

Re: Restrict RemoteAccess VPN to ASA 5520 v 7.2

Hi acomiskey,

First of all, thanks for your reply.

You said:

"If you want to restrict who can establish a vpn, look at the "sysopt connection permit-vpn" command. Disabling this will allow you to restrict access to particular addresses with interface access-lists."

I was looking for something similar to this but for be applied to the object-group. I will go more in deep. I have tow different groups for the VPN, one for management that would need to be filtered to allow only some public IPs and another VPN for office users that would be able to access from any public IP. So that, if I would use your solution it would deny the access for the office users.

Could be possible to do it in another way?

Kind Regards, Fernando.

Re: Restrict RemoteAccess VPN to ASA 5520 v 7.2

Hi,

If you have an ACS, you can send attributes to the ASA to block IPsec tunnel attempts to the ASA based on profiles.

Federico.

291
Views
0
Helpful
3
Replies
CreatePlease to create content