11-20-2017 08:01 AM - edited 03-12-2019 04:45 AM
Not sure if this is possible...
I have a tunnel group and the relevant group policy setup for an anyconnect group. Also have split tunnel and vpn-filter ACL created to lock down access to required services.
User has been created and locked down to that tunnel group.
This all works fine as expected and how I want.
Is there a way however to allow only a specific external IP to access that specific Tunnel Group? I think not from my own research. Is there a better way to achieve the above and the External IP restriction?
Thanks
Solved! Go to Solution.
11-21-2017 08:34 AM
Not possible AFAIK. You can only do an all or nothing block using control-plane ACL.
Is there some other identifying characteristic apart from IP address? Maybe you could use DAP to block the attempt post authentication.
11-20-2017 08:08 AM
Hi @GRANT3779
I think it is possible if you know the IP. You can try something like:
ciscoasa(config)# access-list FILTER-VPN deny udp "target Host" "Firewall IP" eq 500
ciscoasa(config)# access-list FILTER-VPN permit ip any any
ciscoasa(config)# access-group FILTER-VPN in interface outside control-plane
Not sure about your firewall version.
-If I helped you somehow, please, rate it as useful.-
11-21-2017 01:15 AM
Hi Flavio,
I think my Title was misleading now I read it again. What I am looking for is to allow only certain Public IPs to access a specific tunnel group.
I have many other tunnel groups, but for one of these I would like only a specific range of Public IPs to be able to access it.
11-21-2017 03:36 AM
The idea remains the same. The thing is, IPSEC traffic is sent to the firewall´s control plane so you wont block with regular ACL, so you need to use those ACL informed above. What you need to do is block accordingly.
-If I helped you somehow, please, rate it as useful.-
11-21-2017 08:34 AM
Not possible AFAIK. You can only do an all or nothing block using control-plane ACL.
Is there some other identifying characteristic apart from IP address? Maybe you could use DAP to block the attempt post authentication.
11-22-2017 01:04 PM
Hi,
@Rahul Govindan this is what I did think when reading further on the control plane ACL. I will see what other options we have.
Thanks both for the feedback.
06-26-2019 08:20 AM
Team - Please allow me to resurect this old post, can someone please let me know how to lock down a local user to a specific tunnel-group? Any feedback is appreciated.
06-26-2019 10:50 AM
There are different way's to accomplish this... You can use DAP (dynamic access policy) to create specific Group-Policy for a username.
Alternatively you can use Tunnel-Group Lock. I have seen tunnel-group lock option on the ASA (using ASDM) but I have never used that flavor, instead I use it on our ACS server which is acting as the AAA server for authentication. The policies on the ACS box make sure the user account can only connect to the tunnel-group they are part of on the ACS box.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: