Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2935
Views
0
Helpful
5
Replies

restrict remote ip addrss to authenticate/access vpn

bert_1972
Level 1
Level 1

‎10-25-2010 08:55 PM

Hi,

How to restrict remote IP address allowed to authenticate/access to Cisco ASA Firewall IPSEC VPN?


For example, I only want allow x.y.12.0-254 to.

I tried allowing the above IP Address range and deny everything else to the following ports, but it doesn't work. All IP Address still able to authenticate/access Cisco ASA Firewall IPSEC VPN.
- AH
- ESP
- TCP10000
- UDP4500
- UDP500 (ISAKMP)

Please give me advice how to restrict by not putting another box in front of the Cisco ASA Firewall.

TIA

Labels:
0 Helpful
5 Replies 5

Jitendriya Athavale
Cisco Employee
Cisco Employee

‎10-25-2010 09:02 PM

hi bert

if i understand you right you want to allow only a particular subnet to have management access to your firewall through ipsec vpn??? am i right

if that is so just allow only those ip's to access the firewall using telnet/ssh or http

ssh 10.0.1.0 255.255.255.0 inside

telnet10.1.1.0 255.255.255.0 inside

http 10.1.1.0 255.255.255.0 inside

instead of

ssh 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 inside

0 Helpful

Namit Agarwal
Cisco Employee
Cisco Employee

‎10-25-2010 09:51 PM

Hi Bert,

Could you please paste the config on the ASA ? Do you want to restrict VPN access to certain IP addresses ?

Thanks,

Namit

0 Helpful

bert_1972
Level 1
Level 1
In response to Namit Agarwal

‎10-26-2010 07:33 AM

Hi,

My RA and S2S VPN is working well. User connected and able to access the host once connected to VPN.

What I want is to restrict remote (client) IP Address (public) access to VPN Box (before they get connected thru VPN). Its like putting an ACL allowing only a certain internet IP Address to authenticate/access the VPN Box. VPN Box to drop packet from all IP Address (allow only x.y.12.0/24) trying to connect to port/protocol AH, ESP, TCP10000, UDP500, UDP4500.

Here is the config, I didn't include the VPN config as its working well as mentioned above.

---------------

!
interface Ethernet0/0
speed 100
duplex full
nameif outside
security-level 0
ip address a.b.121.144 255.255.255.248
!
object-group network ALLOWED
network-object x.y.12. 255.255.255.0
!
access-list outside_access_in extended permit ah object-group ALLOWED host a.b.121.144
access-list outside_access_in extended permit esp object-group ALLOWED host a.b.121.144
access-list outside_access_in extended permit tcp object-group ALLOWED host a.b.121.144 object-group TCP-10000
access-list outside_access_in extended permit udp object-group ALLOWED host a.b.121.144 object-group UDP-VPN-Services
access-list outside_access_in extended deny ah any host a.b.121.144
access-list outside_access_in extended deny esp any host a.b.121.144
access-list outside_access_in extended deny tcp any host a.b.121.144 object-group TCP-10000
access-list outside_access_in extended deny udp any host a.b.121.144 object-group UDP-VPN-Services

------------------------------------------------

Bert

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to bert_1972

‎10-26-2010 08:13 AM

now i am again confused

do you want to restrict access to the box after they vpn in (that is ssh telnet or http) or do you want t o stop them from connecting via vpn in the first place

if it is the first one i have already given you the solution

if it is the second one

wht access-list you have is correct, the idea being permit the one's that need to be allowed and deny rest all

but then it depends where you apply i assume you have applied it on the outside interface, this is incorrent apply it on the control plane also remove the sysopt command for vpn if you have any

access-group outside_access_in interface outside control-plane

this is avaiable only in codes beyond 8.04 or 05

also remove this command

sysopt connection permit-vpn

no sysopt connection permit-vpn

0 Helpful

bert_1972
Level 1
Level 1
In response to Jitendriya Athavale

‎10-26-2010 11:05 PM

Hi Jathaval,

I want to stop them from connecting via VPN.

My access-list doesn't work. Everybody are still able to connect via VPN. Interesting though, if I put a router in front and put that ACL in the router, it works. But I don't want to invest on that, I want the VPN box to be able to restrict the connection.

The reason I only put VPN ports (not ANY) is because internet need to access some services behind the firewall (e.g. Web, MAIL).

I'm using ASA5510 with OS version 8.2(1).

Thanks.

Bert

0 Helpful
Customers Also Viewed These Support Documents