05-29-2007 06:35 AM
Hi to all,
I would like to know how I can restrict the hosts that can establish a Remote Access VPN with my ASA.
For exaple I would like to allow some publics IP and deny all the others.
I have been looking in the manuals and the web but I haven't be able to find a solution.
Thanks and regards,
Fernando.
05-29-2007 07:06 AM
Fernando,
If you want to restrict who can establish a vpn, look at the "sysopt connection permit-vpn" command. Disabling this will allow you to restrict access to particular addresses with interface access-lists.
If you are interested in filtering traffic after the session has been established, then you are looking for this...
05-29-2007 09:50 AM
Hi acomiskey,
First of all, thanks for your reply.
You said:
"If you want to restrict who can establish a vpn, look at the "sysopt connection permit-vpn" command. Disabling this will allow you to restrict access to particular addresses with interface access-lists."
I was looking for something similar to this but for be applied to the object-group. I will go more in deep. I have tow different groups for the VPN, one for management that would need to be filtered to allow only some public IPs and another VPN for office users that would be able to access from any public IP. So that, if I would use your solution it would deny the access for the office users.
Could be possible to do it in another way?
Kind Regards, Fernando.
02-16-2010 03:47 PM
Hi,
If you have an ACS, you can send attributes to the ASA to block IPsec tunnel attempts to the ASA based on profiles.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide