There is one best solution

uthayaman · ‎06-16-2010

I have ASA 5520 firewall in my enterprise.Remote access VPN is configured in firewall for users.Now i want create a new vpn group.This new group vpn users should connect only from the allowed public ip.

Is it possible to achieve it in the ASA without affecting the exisiting user vpn access.

Federico Coto Fajardo · ‎06-16-2010

Hi,

The ASA will respond to all ISAKMP requests from any public IP when configured for IPsec.

If you create an ACL apply it with ''control-plane'' and restrict which IPs can connect via VPN to the ASA is an option, but that will affect all VPN connections.

To apply a restriction of the source IP for VPN for a certain VPN group, the only option that I see is using an ACS server that applies this restriction to the VPN group.

Federico.

uthayaman · ‎06-16-2010

Thx for the suggestion.Applying acl on ctrl plane will affect my user VPN too.

I dont ACS server.I want to achieve it with ASA.

Federico Coto Fajardo · ‎06-16-2010

I don't think there's a way to do this on the ASA itsefl unfortunately.

The only way to restrict the ASA from responding to IPsec (on the ASA itself) is by applying an ACL with the control-plane keyword.

But the problem is that it will affect all VPN connections.

Federico.

Anton Pestov · ‎06-27-2017

There is best solutions:

- If you use AAA based on LDAP, then use:

nat-assigned-to-public-ip {interface}

- If you use AAA based on RADIUS, then use:

NAS-Port-ID (RADIUS attribute 87)

NAS-Port-ID = Public IP in AnyConnect VPN.

Details:

https://netconfigure.net/index.php/ru/forum/12-konfiguratsiya-setevogo-oborudovaniya/199-cisco-anyconnect-source-ip-restrict-ogranichenie-dostupa-po-vneshnemu-ip-klienta

THILAGARAJ S · ‎11-10-2014

Is that Possible to do for SSL Client VPN ???

Public ip restriction for client based VPN