Re: ASA dial in VPN policies from Mahmoud Genidy on 2012-06-12 (Ccielab archives 06/2012)

From: Mahmoud Genidy <ccie.mahmoud_at_gmail.com>
Date: Tue, 12 Jun 2012 15:51:19 +1000

Let me rephrase the question:

How to restrict remote access VPN users based on their source (Reall) IP
address in ASA firewall?

On Tue, Jun 12, 2012 at 3:17 PM, Joseph L. Brunner
<joe_at_affirmedsystems.com>wrote:

> This is done in the real world by giving out two vpn groups... not by
> tweaking little things behind the scenes for the one group...
>
> There are other things you probably need to do with your time/life than
> this...
>
> Two groups...
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Mahmoud Genidy
> Sent: Monday, June 11, 2012 9:31 PM
> To: Cisco certification
> Subject: ASA dial in VPN policies
>
> Hi Team,
>
> Is it possible to have the ASA configured for two different dial in VPN
> access policies as follows:
>
> - - First group of remote dial in VPN users are active directory
> authenticated and restricted with private certificate
>
> - - Second group of remote dial in VPN users are active directory
> authenticated and restricted based on their source real IP address
>
>
>
> What may be the options for implementation, and would this require the two
> groups of users to dial into two different external ASA IP address?
>
>
>
> The story behind this is that the customer has implemented a Private
> Certificate as part of remote dial in VPN access authentication. They have
> some of their remote users not happy with this option as it restricts
> remote access to specific PC or Laptop where the certificate is installed.
> However they need flexibility of connecting from any PC within their
> remote small office/home where they connect through a gateway with a fixed
> Real-IP address. So for this group of users they need to implement another
> policy where they can have access restriction based on their source real IP
> address. Other users who already happy with the private certificate will
> stay the same.
>
>
>
> Cheers
>
> Mahmoud
> CCIE#23690
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Jun 12 2012 - 15:51:19 ART

This archive was generated by hypermail 2.2.0 : Sun Jul 01 2012 - 10:39:52 ART