Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1714
Views
0
Helpful
2
Replies

Restriction by Source IP in Remote access VPN

rdianat
Level 1
Level 1

‎10-14-2011 06:30 PM - edited ‎02-21-2020 05:39 PM

Hi there,

I need to set up a Cisco ASA with 8.4(2), for a simple remote access IPSEC VPN. Looks straight forward.

However I have a requirement which I need your help. The requirement is that I have to restrict each group-policy or profile to certain source IP addresses.

Please note that this restriction needs to be applied before tunnel establishmen and applied to the source IP addresses which are public IP addressVPN-filter does not work in this scenario, as vpn-filter is only applies to post-decrypted traffic and not during tunnel establishemnet.

I see many discussions in different forums basically providing two solutions:

1. VPN-filter which as I mentioned does not work in my case.

2. disabling default behavior of sysopt and defining ACLs. This also will not work for me. suppose a user at location A with source ip 1.1.1.1 tries to VPN using profile A. he should be able to do so. but if the same user moves to location B and gets assigned ip address 2.2.2.2, he should not be able to connect using profile A. however he still should be able to VPN using profile B which is allowed by source IP of 2.2.2.2 but NOT 1.1.1.1

Thank you,

Razi

1 person had this problem
Labels:
0 Helpful
2 Replies 2

rohaverm
Level 1
Level 1

‎10-14-2011 09:51 PM

Hi Razi,

I understand that you want to bind the group-policy to certain IP address and filtering should take place on the basis of Source IP address.

In case of your 2nd Solution

The user A lands on the tunnel group AT and gets the group policy AG similarly user B lands on the BT and get BG with public ip 1.1.1.1 & 2.2.2.2 respectively.

If the user authentication of is taking place from the AAA server then using LDAP we can bind profiles/group policies to usernames & lock the tunnel-groups.

The catch here is because 2.2.2.2 is also allowed then user A will be able to connect the headend device, but obvioulsy he will have his own privileges, group policies AG and not BG.

3rd option which I can think of is DAP

You can bind IP address and username. After authentication user will land on similar tunnel group but will get customized group policies. Here is the link which you can refer.

http://www.cisco.com/en/US/partner/products/ps6120/products_white_paper09186a00809fcf38.shtml#topic1

0 Helpful

rdianat
Level 1
Level 1
In response to rohaverm

‎10-15-2011 07:10 AM

Hi Rohan,

Thank you for the solution and the link you have posted. The way you have described it may be possible to restrict access based on username, but for this special scenario, it is administratively prohibitive to use username to restrict access. One of the requirements is that user A from location A may have limited access but from location B full access and to manage this through LDAP groups is very difficult specially when users are mobile and there are many of them. The simplicity of the restriction by source IP address is that it is static and it would be only one-time configuration.

0 Helpful
Customers Also Viewed These Support Documents