I need to set up a Cisco ASA with 8.4(2), for a simple remote access IPSEC VPN. Looks straight forward.
However I have a requirement which I need your help. The requirement is that I have to restrict each group-policy or profile to certain source IP addresses.
Please note that this restriction needs to be applied before tunnel establishmen and applied to the source IP addresses which are public IP addressVPN-filter does not work in this scenario, as vpn-filter is only applies to post-decrypted traffic and not during tunnel establishemnet.
I see many discussions in different forums basically providing two solutions:
1. VPN-filter which as I mentioned does not work in my case.
2. disabling default behavior of sysopt and defining ACLs. This also will not work for me. suppose a user at location A with source ip 184.108.40.206 tries to VPN using profile A. he should be able to do so. but if the same user moves to location B and gets assigned ip address 220.127.116.11, he should not be able to connect using profile A. however he still should be able to VPN using profile B which is allowed by source IP of 18.104.22.168 but NOT 22.214.171.124
Thank you for the solution and the link you have posted. The way you have described it may be possible to restrict access based on username, but for this special scenario, it is administratively prohibitive to use username to restrict access. One of the requirements is that user A from location A may have limited access but from location B full access and to manage this through LDAP groups is very difficult specially when users are mobile and there are many of them. The simplicity of the restriction by source IP address is that it is static and it would be only one-time configuration.