cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3897
Views
0
Helpful
2
Replies

Restrict the Remote Access VPN to ASA 5500 based on Source Public IP

anoop
Level 1
Level 1

Hi,

kindly clarify my below doubt

is it possible to  restrict the Remote  Access VPN to  ASA based on the Source  Public IP , if so  how ?

here I am not talking about the  VPN-Filter under group-policy . I Want to restrict the access from specified source  IP  (  Public IP)

Thanks in Advance

Anoop

2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

Yes, you can configure "control plane" ACL on tohe ASA, and that affects all traffic terminating on the ASA, including (ssh, http, ipsec, ssl vpn).

So if you want to enable specific IP for remote access VPN tunnel, you can configure the following:

access-list cp-acl permit udp host interface outside eq 500

access-list cp-acl permit udp host interface outside eq 500

access-list cp-acl deny udp any any eq 500

access-list cp-acl permit esp any any

access-list cp-acl permit udp any any eq 4500

access-list cp-acl permit tcp any any eq ssh

access-list cp-acl permit tcp any any eq https

And you can permit everything else that you need in this acl, and apply it on the ASA control plane.

Hope that helps.

I have the same requirement, to restrict the access from only certain allowed IP address, I configured the acl as shown below, but it doesn't do any thing, everyone can still vpn in from their home, in fact, even I deny any any ip, the vpn can still get in, where I did wrong?

Cisco-ASA5505# sh access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)
            alert-interval 300
access-list inside_nat0_outbound; 3 elements; name hash: 0x467c8ce4
access-list inside_nat0_outbound line 1 extended permit ip any 192.168.2.0 255.255.255.128 (hitcnt=0) 0x5c97d161
access-list inside_nat0_outbound line 2 extended permit ip any 192.168.150.0 255.255.255.128 (hitcnt=0) 0x77773968
access-list inside_nat0_outbound line 3 extended deny ip host NAS 192.168.150.0 255.255.255.128 (hitcnt=0) 0xf6ceb3c1
access-list inside_access_in; 1 elements; name hash: 0x433a1af1
access-list inside_access_in line 1 extended permit ip 172.16.0.0 255.255.252.0 any (hitcnt=162996) 0x1bdace31
access-list vpn-acl; 6 elements; name hash: 0xa0e62c8f
access-list vpn-acl line 1 extended permit udp object-group VPN_Allowed interface outside eq isakmp 0xc54be022
  access-list vpn-acl line 1 extended permit udp host Bell interface outside eq isakmp (hitcnt=0) 0x07884d9b
access-list vpn-acl line 2 extended permit udp object-group VPN_Allowed interface outside eq 1701 0xbc9c961a
  access-list vpn-acl line 2 extended permit udp host Bell interface outside eq 1701 (hitcnt=0) 0x225e8f9e
access-list vpn-acl line 3 extended permit udp object-group VPN_Allowed interface outside eq 4500 0x8879aa16
  access-list vpn-acl line 3 extended permit udp host Bell interface outside eq 4500 (hitcnt=0) 0x31d4ca02
access-list vpn-acl line 4 extended deny udp any any eq isakmp (hitcnt=0) 0x36df568f
access-list vpn-acl line 5 extended deny udp any any eq 1701 (hitcnt=0) 0x6bd83067
access-list vpn-acl line 6 extended deny udp any any eq 4500 (hitcnt=0) 0x01703bd3
Cisco-ASA5505#