RE: ASA Easy VPN access problem

From: Mahmoud Nossair <mahmoud.nossair_at_gmail.com>
Date: Mon, 13 Dec 2010 11:05:26 +0300

Dear Mr. Karim

 

Thanks again for your reply. And I will try your method and reply you
Inshaa'llah.

 

 

Best Regards,

 

==============================

Mahmoud Nossair

 

 

From: karim jamali [mailto:karim.jamali_at_gmail.com]
Sent: Monday, December 13, 2010 11:00 AM
To: Mahmoud Nossair; Cisco certification
Subject: Re: ASA Easy VPN access problem

 

Dear Mahmoud,

 

Hope you are doing fine. I am sure there is a better way of implementing it
but a simple approach would be to put an ACL on the outside interface in the
incoming direction that will only allow ISAKMP/IPSec from certain peers
(public ip addresses) and all other ISAKMP/IPSec traffic will be dropped.
Remember to allow any incoming traffic in the ACL if needed otherwise you
will fall to the "implicit deny".

 

I am not sure if this is the best method, but I believe this should work.

Best Regards,

 

On Mon, Dec 13, 2010 at 10:54 AM, Mahmoud Nossair
<mahmoud.nossair_at_gmail.com> wrote:

Thanks for replying me..

My point is how can I allow only a certain IPs or Subnet (Public IPs) to be
accepted as a remote VPN users?

For Example Suppose you have an Public ip "1.1.1.1" and I have IP address
"2.2.2.2", both you and I initiating a Remote VPN access, but the ASA
firewall will grant you access while dropping me.

Best Regards,

==============================

Mahmoud Nossair

From: Shaughn Smith [mailto:maniac.smg_at_gmail.com]
Sent: Monday, December 13, 2010 9:52 AM
To: Mahmoud Nossair
Cc: ccielab_at_groupstudy.com
Subject: Re: ASA Easy VPN access problem

I dont see the point. Only users who succesfully authenticate can gain
access via the VPN. What Auth method are you using, radius, tacacs+, Local
etc

CCIE # 23962 (SP)

On Mon, Dec 13, 2010 at 8:26 AM, Mahmoud Nossair <mahmoud.nossair_at_gmail.com>
wrote:

Dear Experts

I had configured an Easy VPN access to the Cisco ASA 5520, but the problem
is anybody from the OUTSIDE can initiate a remote VPN access.

So how can restrict the access to only a HOST or IP subnet from the OUTSIDE
interface? (i.e nobody can initiate a remote VPN access unless explicitly
permitted through an access list or any method elese).

Best Regards,

==============================

Mahmoud Nossair

CCIE network Engineer.

Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
<http://www.ccie.net/>
Received on Mon Dec 13 2010 - 11:05:26 ART

This archive was generated by hypermail 2.2.0 : Sat Jan 01 2011 - 09:37:49 ART