Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN client address limitation.




My ASA is running SSL VPN, the authentication server is ACS.

Both of them are working well.



now, I need a limitation:

Some IDs can use VPN when they come from specific IP, like at office.

Not anywhere, like at home, hotel...


May I know if it is possible please? 

Can NAR hlep on that?  



Thanks in advance.

Hall of Fame Super Silver

There are a lot of things you

There are a lot of things you can use in a Dynamic Access Policy (DAP) but end user IP address isn't one of them.

Network Access Restriction (NAR) in ACS can be used to grant or deny authorization based on IP address but with a remote access VPN I believe it would be the VPN-assigned address seen by the ACS server. I'm not absolutely positive about that though.

Have you considered an ACL for tcp/443 on the interface used for VPN access?

New Member

Thanks for reply. I don't

Thanks for reply.


I don't think ACL for tcp/443 can help on the limitation, the limitation base on both IDs and IP.


I will loook into DAP first.