cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2056
Views
0
Helpful
7
Replies

Can a ASA 5506-X be configured to limit what IP addresses can connect to a Remote Access

dougreid
Level 1
Level 1

Need to enable some more security to a clients network.   Can a set of Iist of allowed IP addresses for VPN remote access?

 

Thanks

7 Replies 7

Rahul Govindan
VIP Alumni
VIP Alumni

You can create a new control-plane ACL and apply it to the outside interface. This ACL limits what source ip addresses can hit the ASA on port 443. 

 

Example access-group below:

 

access-group access_list in interface interface_name control-plane

 

 

 

Remote Access (IKEv1) uses UDP port 500.

Sorry, assumed it was for remote access using the AnyConnect client. Same concept though. You can use control-plane ACL to allow udp500 only from certain ip addresses to the ASA's outside interface. 

- Create access_list with each IP address that can access VPN.

- Create access-group access_list in interface interface_name control-plane

RA_IP_ACCESS line 1 extended permit udp host 127.0.0.1 eq isakmp interface outside eq isakmp

Rahul,

I am still new to configuring ASAs. This seems like it is a two step process:

- create the access-list
- create the control-plane ACL

I am missing a detail to get this to work.

Example:

 

access-list control-plane-acl extended permit udp host 1.1.1.1 host 2.2.2.2 eq isakmp

access-group control-plane-acl in interface outside control-plane

 

Where 1.1.1.1 is the public ip of client and 2.2.2.2 is outside ip address of the ASA.

Review Cisco Networking for a $25 gift card