https://community.cisco.com/t5/network-security/can-a-asa-5506-x-be-configured-to-limit-what-ip-addresses-can/m-p/3814580#M6629 Rahul,<BR /><BR />I am still new to configuring ASAs. This seems like it is a two step process:<BR /><BR />- create the access-list<BR />- create the control-plane ACL<BR /><BR />I am missing a detail to get this to work.<BR /> Tue, 05 Mar 2019 22:54:29 GMT dougreid 2019-03-05T22:54:29Z https://community.cisco.com/t5/network-security/can-a-asa-5506-x-be-configured-to-limit-what-ip-addresses-can/m-p/3814397#M6623 <P>Need to enable some more security to a clients network. &nbsp; Can a set of Iist of allowed IP addresses for VPN remote access?</P><P>&nbsp;</P><P>Thanks</P> Fri, 21 Feb 2020 16:54:07 GMT https://community.cisco.com/t5/network-security/can-a-asa-5506-x-be-configured-to-limit-what-ip-addresses-can/m-p/3814397#M6623 dougreid 2020-02-21T16:54:07Z https://community.cisco.com/t5/network-security/can-a-asa-5506-x-be-configured-to-limit-what-ip-addresses-can/m-p/3814442#M6624 <P>You can create a new control-plane ACL and apply it to the outside interface. This ACL limits what source ip addresses can hit the ASA on port 443.&nbsp;</P> <P>&nbsp;</P> <P>Example access-group below:</P> <P>&nbsp;</P> <P class="pCENB_CmdEnv_NoBold"><STRONG class="cCN_CmdName">access-group</STRONG><SPAN>&nbsp;</SPAN><EM class="cArgument">access_list&nbsp;</EM><STRONG class="cKeyword">in</STRONG><STRONG class="cKeyword"><SPAN>&nbsp;</SPAN>interface</STRONG><SPAN>&nbsp;</SPAN><EM class="cArgument">interface_name<SPAN>&nbsp;</SPAN></EM><STRONG class="cKeyword">control-plane</STRONG></P> <P class="pCENB_CmdEnv_NoBold">&nbsp;</P> <P class="pCENB_CmdEnv_NoBold">&nbsp;</P> <P class="pCENB_CmdEnv_NoBold">&nbsp;</P> Tue, 05 Mar 2019 18:38:20 GMT https://community.cisco.com/t5/network-security/can-a-asa-5506-x-be-configured-to-limit-what-ip-addresses-can/m-p/3814442#M6624 Rahul Govindan 2019-03-05T18:38:20Z https://community.cisco.com/t5/network-security/can-a-asa-5506-x-be-configured-to-limit-what-ip-addresses-can/m-p/3814463#M6625 <P>Remote Access (IKEv1) uses UDP port 500.</P> Tue, 05 Mar 2019 19:14:56 GMT https://community.cisco.com/t5/network-security/can-a-asa-5506-x-be-configured-to-limit-what-ip-addresses-can/m-p/3814463#M6625 dougreid 2019-03-05T19:14:56Z https://community.cisco.com/t5/network-security/can-a-asa-5506-x-be-configured-to-limit-what-ip-addresses-can/m-p/3814509#M6626 <P>Sorry, assumed it was for remote access using the AnyConnect client. Same concept though. You can use control-plane ACL to allow udp500 only from certain ip addresses to the ASA's outside interface.&nbsp;</P> Tue, 05 Mar 2019 20:28:31 GMT https://community.cisco.com/t5/network-security/can-a-asa-5506-x-be-configured-to-limit-what-ip-addresses-can/m-p/3814509#M6626 Rahul Govindan 2019-03-05T20:28:31Z https://community.cisco.com/t5/network-security/can-a-asa-5506-x-be-configured-to-limit-what-ip-addresses-can/m-p/3814529#M6627 <P>- Create access_list with each IP address that can access VPN.</P><P>- Create <STRONG>a</STRONG><STRONG>ccess-group</STRONG><SPAN>&nbsp;</SPAN><EM>access_list&nbsp;</EM><STRONG>in</STRONG><STRONG><SPAN>&nbsp;</SPAN>interface</STRONG><SPAN>&nbsp;</SPAN><EM>interface_name<SPAN>&nbsp;</SPAN></EM><STRONG>control-plane</STRONG></P> Tue, 05 Mar 2019 21:10:59 GMT https://community.cisco.com/t5/network-security/can-a-asa-5506-x-be-configured-to-limit-what-ip-addresses-can/m-p/3814529#M6627 dougreid 2019-03-05T21:10:59Z https://community.cisco.com/t5/network-security/can-a-asa-5506-x-be-configured-to-limit-what-ip-addresses-can/m-p/3814542#M6628 RA_IP_ACCESS line 1 extended permit udp host 127.0.0.1 eq isakmp interface outside eq isakmp Tue, 05 Mar 2019 21:32:10 GMT https://community.cisco.com/t5/network-security/can-a-asa-5506-x-be-configured-to-limit-what-ip-addresses-can/m-p/3814542#M6628 dougreid 2019-03-05T21:32:10Z https://community.cisco.com/t5/network-security/can-a-asa-5506-x-be-configured-to-limit-what-ip-addresses-can/m-p/3814580#M6629 Rahul,<BR /><BR />I am still new to configuring ASAs. This seems like it is a two step process:<BR /><BR />- create the access-list<BR />- create the control-plane ACL<BR /><BR />I am missing a detail to get this to work.<BR /> Tue, 05 Mar 2019 22:54:29 GMT https://community.cisco.com/t5/network-security/can-a-asa-5506-x-be-configured-to-limit-what-ip-addresses-can/m-p/3814580#M6629 dougreid 2019-03-05T22:54:29Z https://community.cisco.com/t5/network-security/can-a-asa-5506-x-be-configured-to-limit-what-ip-addresses-can/m-p/3815714#M6630 <P>Example:</P> <P>&nbsp;</P> <P>access-list control-plane-acl extended permit udp host 1.1.1.1 host 2.2.2.2 eq isakmp </P> <P>access-group control-plane-acl in interface outside <STRONG>control-plane</STRONG></P> <P>&nbsp;</P> <P>Where 1.1.1.1 is the public ip of client and 2.2.2.2 is outside ip address of the ASA.</P> Thu, 07 Mar 2019 15:40:42 GMT https://community.cisco.com/t5/network-security/can-a-asa-5506-x-be-configured-to-limit-what-ip-addresses-can/m-p/3815714#M6630 Rahul Govindan 2019-03-07T15:40:42Z