Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Restricting VPN client to specific inside IP's

I want to setup ipsec vpn so that certain vendors can access their server behind the ASA5510, and only their server without using a radius server. What is the best way to accomplish this and what documentation can I use?

4 REPLIES
New Member

Re: Restricting VPN client to specific inside IP's

Wow I cant believe no one has replied to this? Makes me wonder if it can be done or not.

Green

Re: Restricting VPN client to specific inside IP's

Sure it can. Can you give us a little more intormation about how you have your vendors set up? Are they all under one tunnel group/policy, do they authenticate via the LOCAL database on the ASA? You have several options here so knowing how you are currently set up will point us in the right direction for you.

Here's one possibility, you can assign a vpn-filter on a specific tunnel group policy or per user account on ASA.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

New Member

Re: Restricting VPN client to specific inside IP's

Nothing has been built yet, we are in the consulting stage and this is one of the questions that came up. I kind of thought it is possible, but need to verify 100% before saying yes. I just now found a document on Cisco site, pain in the butt trying to find what you need, have toplay with the search wording, but finally hit upon the right words. asdm-restrict-remot-net-access.pdf is what I was looking for. I havent had a chance to read through it yet, but it appears that I can do this without the use of a Radius server.

Green

Re: Restricting VPN client to specific inside IP's

That is the document I referenced above. It goes over creating a vpn-filter which defines an acl which is assigned to a tunnel group policy. You can also assign these vpn-filters to individual users in the ASA local database.

Another option is to simply create different tunnel groups and/or group policies specifying the interesting traffic/nat exemption/split tunnel acl's to only include access to specific devices.

102
Views
0
Helpful
4
Replies