Re: ASA Easy VPN access problem from Shaughn Smith on 2010-12-13 (Ccielab archives 12/2010)

From: Shaughn Smith <maniac.smg_at_gmail.com>
Date: Mon, 13 Dec 2010 10:08:57 +0200

I am just trying to understand why you want to do that ?

Surely some of the remote users are going to have dynamic ip address's from time to time.

CCIE # 23962 (SP)

Sent from my iPhone 4

On 13 Dec 2010, at 10:00 AM, karim jamali <karim.jamali_at_gmail.com> wrote:

> Dear Mahmoud,
>
> Hope you are doing fine. I am sure there is a better way of implementing it
> but a simple approach would be to put an ACL on the outside interface in the
> incoming direction that will only allow ISAKMP/IPSec from certain peers
> (public ip addresses) and all other ISAKMP/IPSec traffic will be dropped.
> Remember to allow any incoming traffic in the ACL if needed otherwise you
> will fall to the "implicit deny".
>
> I am not sure if this is the best method, but I believe this should work.
>
> Best Regards,
>
> On Mon, Dec 13, 2010 at 10:54 AM, Mahmoud Nossair <mahmoud.nossair_at_gmail.com
>> wrote:
>
>> Thanks for replying me..
>>
>>
>>
>> My point is how can I allow only a certain IPs or Subnet (Public IPs) to be
>> accepted as a remote VPN users?
>>
>>
>>
>> For Example Suppose you have an Public ip "1.1.1.1" and I have IP address
>> "2.2.2.2", both you and I initiating a Remote VPN access, but the ASA
>> firewall will grant you access while dropping me.
>>
>>
>>
>>
>>
>> Best Regards,
>>
>>
>>
>> ==============================
>>
>> Mahmoud Nossair
>>
>>
>>
>>
>>
>> From: Shaughn Smith [mailto:maniac.smg_at_gmail.com]
>> Sent: Monday, December 13, 2010 9:52 AM
>> To: Mahmoud Nossair
>> Cc: ccielab_at_groupstudy.com
>> Subject: Re: ASA Easy VPN access problem
>>
>>
>>
>> I dont see the point. Only users who succesfully authenticate can gain
>> access via the VPN. What Auth method are you using, radius, tacacs+, Local
>> etc
>>
>>
>>
>>
>> CCIE # 23962 (SP)
>>
>> On Mon, Dec 13, 2010 at 8:26 AM, Mahmoud Nossair <
>> mahmoud.nossair_at_gmail.com>
>> wrote:
>>
>> Dear Experts
>>
>>
>>
>> I had configured an Easy VPN access to the Cisco ASA 5520, but the problem
>> is anybody from the OUTSIDE can initiate a remote VPN access.
>>
>> So how can restrict the access to only a HOST or IP subnet from the OUTSIDE
>> interface? (i.e nobody can initiate a remote VPN access unless explicitly
>> permitted through an access list or any method elese).
>>
>>
>>
>>
>>
>>
>>
>> Best Regards,
>>
>>
>>
>> ==============================
>>
>> Mahmoud Nossair
>>
>> CCIE network Engineer.
>>
>>
>> Blogs and organic groups at http://www.ccie.net <http://www.ccie.net/>
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>>
>>
>>
>>
>>
>>
>
>
> --
> KJ
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Mon Dec 13 2010 - 10:08:57 ART

This archive was generated by hypermail 2.2.0 : Sat Jan 01 2011 - 09:37:49 ART