03-05-2019 08:52 AM - edited 02-21-2020 08:54 AM
Need to enable some more security to a clients network. Can a set of Iist of allowed IP addresses for VPN remote access?
Thanks
03-05-2019 10:38 AM
You can create a new control-plane ACL and apply it to the outside interface. This ACL limits what source ip addresses can hit the ASA on port 443.
Example access-group below:
access-group access_list in interface interface_name control-plane
03-05-2019 11:14 AM
Remote Access (IKEv1) uses UDP port 500.
03-05-2019 12:28 PM
Sorry, assumed it was for remote access using the AnyConnect client. Same concept though. You can use control-plane ACL to allow udp500 only from certain ip addresses to the ASA's outside interface.
03-05-2019 01:10 PM
- Create access_list with each IP address that can access VPN.
- Create access-group access_list in interface interface_name control-plane
03-05-2019 01:32 PM
03-05-2019 02:54 PM
03-07-2019 07:40 AM
Example:
access-list control-plane-acl extended permit udp host 1.1.1.1 host 2.2.2.2 eq isakmp
access-group control-plane-acl in interface outside control-plane
Where 1.1.1.1 is the public ip of client and 2.2.2.2 is outside ip address of the ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Log in to Community
