Re: ASA dial in VPN policies

You can only establish remote access VPN connections on the primary
interface which has the default route so I don't believe this will work.

You can not control who can access the ASA via IPSEC by using an
access-list. You would have to apply that to the control plane and that
would affect all VPN groups.

You can apply an access-list to restrict which resources people can access
once they successfully connect, but to do this you either have to use vpn
filter or specify the "no sysopt connection permit-vpn" which turns of the
bypassing of access-list for the VPN.

In your case I think the best you are going to do is use a group password
and user authentication rather than a certificate. It wont restrict which
IP they connect from however.

-Marc

On Tue, Jun 12, 2012 at 7:47 PM, Mahmoud Genidy <ccie.mahmoud_at_gmail.com>wrote:

> Thanks Joseph
>
> Knowing it is an option configurable with Fortigate I thought there may be
> an equivlent in ASA.
>
> I couldn't undersand your point when you said it is not possible then you
> said it can be done using "isakmp profile match identity address"?
>
> I thought about some alternative solution: To create a second external
> outside interface on the ASA and apply ACL on the internet router connected
> to this interface to restrict the VPN access. Another option would be to
> apply the ACL on the outside interface its self however I doubt it will
> work!
>
>
> On Tue, Jun 12, 2012 at 4:12 PM, Joseph L. Brunner
> <joe_at_affirmedsystems.com>wrote:
>
> > Not possible... practically speaking.. people move around a lot, etc.
> >
> > If you knew their ip was going to always be X - say you had some
> > consultants that only use the vpn from a major site, etc. then it could
> be
> > done with isakmp profiles matching "isakmp profile match identity
> address"
> > and the like - but remember, we are architects and designers more than we
> > are "errand boys" at our level...
> >
> > Just because some business person has a vision of Acid Burn and Crash
> > Override sitting at their Toshiba Tecra's and some neon characters going
> by
> > in the background doesn't mean IT works that way...
> >
> > What works for most must for all :0)
> >
> > That's how I support it!
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> > Mahmoud Genidy
> > Sent: Tuesday, June 12, 2012 1:51 AM
> > To: Cisco certification
> > Subject: Re: ASA dial in VPN policies
> >
> > Let me rephrase the question:
> >
> > How to restrict remote access VPN users based on their source (Reall) IP
> > address in ASA firewall?
> >
> >
> > On Tue, Jun 12, 2012 at 3:17 PM, Joseph L. Brunner
> > <joe_at_affirmedsystems.com>wrote:
> >
> > > This is done in the real world by giving out two vpn groups... not by
> > > tweaking little things behind the scenes for the one group...
> > >
> > > There are other things you probably need to do with your time/life
> > > than this...
> > >
> > > Two groups...
> > >
> > > -----Original Message-----
> > > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
> > > Of Mahmoud Genidy
> > > Sent: Monday, June 11, 2012 9:31 PM
> > > To: Cisco certification
> > > Subject: ASA dial in VPN policies
> > >
> > > Hi Team,
> > >
> > > Is it possible to have the ASA configured for two different dial in
> > > VPN access policies as follows:
> > >
> > > - - First group of remote dial in VPN users are active
> directory
> > > authenticated and restricted with private certificate
> > >
> > > - - Second group of remote dial in VPN users are active
> directory
> > > authenticated and restricted based on their source real IP address
> > >
> > >
> > >
> > > What may be the options for implementation, and would this require the
> > > two groups of users to dial into two different external ASA IP address?
> > >
> > >
> > >
> > > The story behind this is that the customer has implemented a Private
> > > Certificate as part of remote dial in VPN access authentication. They
> > > have some of their remote users not happy with this option as it
> > > restricts remote access to specific PC or Laptop where the certificate
> > is installed.
> > > However they need flexibility of connecting from any PC within their
> > > remote small office/home where they connect through a gateway with a
> > > fixed Real-IP address. So for this group of users they need to
> > > implement another policy where they can have access restriction based
> > > on their source real IP address. Other users who already happy with
> > > the private certificate will stay the same.
> > >
> > >
> > >
> > > Cheers
> > >
> > > Mahmoud
> > > CCIE#23690
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > ______________________________________________________________________
> > > _ Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Marc Abel
CCIE #35470
(Routing and Switching)
Blogs and organic groups at http://www.ccie.net