allow only specific IPs to connect ASA by IPSec remote access VPN

pt_wang · ‎09-03-2012

How I setup on ASA to allow only specific IPs ( peer IPs ) to connect ASA by remote access VPN( IPsec VPN client S/W).

Due to the remote access VPN, I had setup assigned IP to remote access VPN client during dialin.

I try to use the IPv4 Filter, but I was failed always.

mvsheik123 · ‎09-03-2012

As the Crypto is enabled on 'outside' interface, I don't think there is a way to restrict on ASA itself by ACL. But if you have router in front of ASA, you can use ACL to restrict the access.

Thx

MS

f9is · ‎01-24-2017

It is doable on ASA.

You need to use crypto dynamic-map and set it to specific peer only, see example below for ikev2:

crypto dynamic-map DYNMAP 65005 set peer 2.2.2.2
crypto dynamic-map DYNMAP 65005 set ikev2 ipsec-proposal IKEv2-IPSEC-PROPOSAL

Igor

Javier Portuguez · ‎09-03-2012

Hi,

Yes, it is possible, just use the control-plane feature.

Do a research, in case of doubts please let me know.

Thanx

Portu

Sent from Cisco Technical Support Android App

nkarthikeyan · ‎09-15-2012

Hi,

Yes. You can have the ACL created for inbound (outside to inside) where you can mention the specific IP's that needs to be applied to the box instead of only on the interface.

access-group outside_in interface outside control-plane

Try this and check.

Please do rate if the given information helps.

By

Karthik

Javier Portuguez · ‎09-21-2012

Hi MS,

In case you do not have any further questions, please rate any helpful posts and mark this question as answered.

Thanks .

Portu

alexg · ‎09-19-2016

There is no answer to that question. Only control-plane mention without examples which still doesn't work for me. Please provide working examples on how to allow ONLY certain IPs to access IPsec. Basic cheap firewalls provide that feature out of the box, but not ASA.

AlexFer · ‎06-09-2020

For posterity, How do I block IP addresses from trying to establish VPN tunnel with my ASA?