Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
479
Views
5
Helpful
1
Replies

VPN / Only Allow certain L2L peers to initiate connection

thomas-cco
Level 1
Level 1

‎09-05-2017 03:25 AM - edited ‎03-12-2019 04:31 AM

Hi all,

 

is there a way on a Cisco ASA to deny VPN initiations from unwanted peers?(Before any communication is going on)

As a result I would hope that I can create a list of allowed peer IPs and assign it to a vpn configuration or bind it to a specific interface. (like a whitelisting)

 

Kind regards,

 

Denis

Labels:
0 Helpful
1 Reply 1

Flavio Miranda
VIP
VIP

‎09-10-2017 07:21 PM - edited ‎09-10-2017 07:25 PM

Hello,

 I think this can be done:

 

"Create a User-Defined Tunnel-Group

This method requires slighly more configuration, but it allows for more granularity. Each peer can have its own separate policy and pre-shared key. However here it is important to change the ISAKMP ID on the dynamic peer so that it uses a name instead of an IP address. This allows the static ASA to match the incoming ISAKMP initialisation request to the right tunnel group and to use the right policies."

 

Take a look on this link for configuration example:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118652-configure-asa-00.html

 

 I didn´t try this yet but this  is an interesting stuff. Please, share your progress.

 You force ASA match ISAKMP IDs, that way, you can create an 'list of allowed peer' by IDs.

Customers Also Viewed These Support Documents