08-24-2010 10:15 AM
Hi,
I've seen several people ask this here, but no definitive answers. I would like to be able to allow only certain IP Adds to initiate a remote access VPN to a certain group.
For example:
IP-Prefix A is allowed to initiate (and connect) to tunnel-group A (but not to tunnel-group B)
IP-Prefix B is allowed to initiate (and connect) to tunnel-group B (but not to tunnel-group A)
Again, the issue here is not what the user is allowed to do once connected, but what IP Adds are allowed to bring up the ra tunnel if authenticated.
Is this possible? If so, can you provide sample config?
Thanks in advance!
c.
09-01-2010 02:36 PM
Hi,
This does not seem to be possible at the moment. Please contact you cisco accounts team or reseller to file a feature request.
Thanks,
Guru.
09-01-2010 04:13 PM
Hi,
If you have an ACS server then the ACS can restrict which public IPs are allowed to initiate a RA VPN IPsec to the ASA/router based on profiles.
If you don't have an ACS the only option is on the ASA to create an ACL denying UDP 500 to the outside IP (with the control-plane option) so the ASA will check traffic to itself. But this is not what you're looking for because it will restrict which IPs can initiate RA VPN for the entire ASA (cannot discriminate based on profiles).
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide