Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2642
Views
0
Helpful
7
Replies

How to fix the source public IP address of users connecting to VPN on ACS 5.8

MeuzKing
Level 1
Level 1

‎02-20-2019 03:32 AM - edited ‎02-20-2019 04:17 AM

Hello everyone,
I would like to know if it is possible to fix the source public IP address of users connecting to VPN on ACS 5.8.

In other words, is it possible for the source public IP address of users connecting to VPN to be fix to ACS 5.8 ?

I am waiting for your feedback ! Thank you !

Regards.

Labels:
0 Helpful
7 Replies 7

Damien Miller
VIP Alumni
VIP Alumni

‎02-20-2019 07:38 AM

I think you need to clarify the question with a bit more detail. Are you talking about the IP your users connect to start their vpn client? Your users would not be connecting to ACS directly, but rather to a VPN head end, likely a vpn concentrator or firewall. The authentication requests are proxied to ACS for processing, then the results are sent back to the firewall.

The public IP I think you are referring to is likely hosted on a firewall. I doubt there is any change of address required on the ACS side.
0 Helpful

MeuzKing
Level 1
Level 1
In response to Damien Miller

‎02-20-2019 08:29 AM

Thank you for your feedback Damien,

The idea is to ensure that partners can connect via VPN on our infrastructure only from the public address of their office that they must communicate to us in advance for authorization. So that once at home the user will no longer be able to log in from home.

I would like to know if there is possibility to fix the public IP address of the Partner on ACS or ASA?

 

Regards.

 

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to MeuzKing

‎02-20-2019 09:05 AM

Let me see if I'm following, you are wanting to limit VPN access to only specific public source IPs?
Are you wanting to hard code this? ex. Vendor provides you their public IP in advance, then you allow that IP to connect to the VPN?
0 Helpful

MeuzKing
Level 1
Level 1
In response to Damien Miller

‎03-06-2019 12:25 AM

Good moorning Damien,

Yes ! that's exactly what I want to do.

Regards.

0 Helpful

Rob Ingram
VIP
VIP
In response to MeuzKing

‎02-20-2019 11:41 AM

From the ASA perspective you could apply a control-plane ACL, limiting VPN traffic from known IP addresses to the ASA itself, however this may or may not be practical solution.

HTH
0 Helpful

MeuzKing
Level 1
Level 1
In response to Rob Ingram

‎03-06-2019 12:39 AM

Hello RJI,

I want vendor provides me his public IP in advance, then I allow that IP to connect to the VPN in ACS 5.8 and not in ASA.

Regards.

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎03-06-2019 08:55 AM

To add to Damien's response I also think your question is a bit unclear. If you are referring to configuring what ACS host your VPN users and specific tunnel groups will use you will need to tweak the settings on your VPN Concentrator. This can be accomplished in your client profiles. Not sure if that is what you are attempting to accomplish. Can you provide more detail?
0 Helpful
Customers Also Viewed These Support Documents