cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Restriction by Source IP in Remote access VPN

rdianat
Beginner
Beginner

Hi there,

I need to set up a Cisco ASA with 8.4(2), for a simple remote access IPSEC VPN. Looks straight forward.

However I have a requirement which I need your help. The requirement is that I have to restrict each group-policy or profile to certain source IP addresses.

Please note that this restriction needs to be applied before tunnel establishmen and applied to the source IP addresses which are public IP addressVPN-filter does not work in this scenario, as vpn-filter is only applies to post-decrypted traffic and not during tunnel establishemnet.

I see many discussions in different forums basically providing two solutions:

1. VPN-filter which as I mentioned does not work in my case.

2. disabling default behavior of sysopt and defining ACLs. This also will not work for me. suppose a user at location A with source ip 1.1.1.1 tries to VPN using profile A. he should be able to do so. but if the same user moves to location B and gets assigned ip address 2.2.2.2, he should not be able to connect using profile A. however he still should be able to VPN using profile B which is allowed by source IP of 2.2.2.2 but NOT 1.1.1.1

Thank you,

Razi

2 REPLIES 2

rohaverm
Beginner
Beginner

Hi Razi,

I understand that you want to bind the group-policy to certain IP address and filtering should take place on the basis of Source IP address.

In case of your 2nd Solution

The user A lands on the tunnel group AT and gets the group policy AG similarly user B lands on the BT and get BG with public ip 1.1.1.1 & 2.2.2.2 respectively.

If the user authentication of is taking place from the AAA server then using LDAP we can bind profiles/group policies to usernames & lock the tunnel-groups.

The catch here is because 2.2.2.2 is also allowed then user A will be able to connect the headend device, but obvioulsy he will have his own privileges, group policies AG and not BG.

3rd option which I can think of is DAP

You can bind IP address and username. After authentication user will land on similar tunnel group but will get customized group policies. Here is the link which you can refer.

http://www.cisco.com/en/US/partner/products/ps6120/products_white_paper09186a00809fcf38.shtml#topic1

Hi Rohan,

Thank you for the solution and the link you have posted. The way you have described it may be possible to restrict access based on username, but for this special scenario, it is administratively prohibitive to use username to restrict access. One of the requirements is that user A from location A may have limited access but from location B full access and to manage this through LDAP groups is very difficult specially when users are mobile and there are many of them. The simplicity of the restriction by source IP address is that it is static and it would be only one-time configuration.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: