cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
508
Views
0
Helpful
2
Replies

Best way to allow a vpn profile only from one address

m.surtees
Level 1
Level 1

Hi,

This is a wierd request as it flies in the face of the purpose of vpn clients but I ahve my reasons:

We don't like Split-T but we have a userbase on a customer site that require it. I have made a special profile for them but they tend to hand out the .pcf to others as well as using it from home, etc. So I want to tie this group policy to a single source address.

Termination device is a 5520 with 8.x

Can it be done in the crypto definition or do I need to use an ACL entry on the outside interface?

Many thanks in advance,

Mike

2 Replies 2

JORGE RODRIGUEZ
Level 10
Level 10

Hi Mike,

Have a look at this complete link, implementing digital certificates for controlling your VPN ra users authorized sources.. you can also have ASA as local CA server as suppose to using third party.

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/cert_cfg.html#wp1002608

Regards

Jorge Rodriguez

Thanks jorgemcse,

A bit low on time to read that whole doco right now so I won't rate your post. But thanks anyway and it will be good to investigate using the ASA as a local CA server on top of my current issue.

Regards,

Mike

Review Cisco Networking for a $25 gift card