Cisco VPN :: ASA5520 / How To Restrict The Remote Access Network
Sep 6, 2010
in our VPN configuration (ASA5520, Anyconnect VPN Client), we have different VPN User Groups. These Group Policies are retrieved from an LDAP Server.We'd like to restrict the acess like this:
A Group "Home User" might establish a VPN from anywhere on the Internet
A Group "restricted 3rd party" should only be allowed to establish a VPN from their specific public Source IP Address on the Internet (the public IP Address of this 3rd party Company). When these Users try to connect from any other IP Address on the Internet(Home, hotel, etc), VPN Access should not work!
On our old solution, we were able to limit the remote access network, per user group, to some source IP's.
The IP Filters related to group policies in here seem only to be filters concerning the VPN Address (after the VPN is established: where can this user group connect to). But I did not find filters/access lists, where yoiu can define/restrict public access networks for some groups.Or is it possible to do that by Dynamic Access Policies? How?
View 1 Replies
ADVERTISEMENT
Oct 20, 2012
is it possible to restrict the Remote Access VPN to ASA based on the Source Public IP , if so how ?
here I am not talking about the VPN-Filter under group-policy . I Want to restrict the access from specified source IP ( Public IP)
View 1 Replies
View Related
Feb 12, 2013
I need a way to block MAC OS X users connecting remotely to our coporate users over VPN. I know there is an option to block connections based on VPN client Version, but cant find a way to block users based on operating system.
We use Cisco ASA 5510 firewals one with v8.2(1) and other with v7.2(3). I need to do on both firewalls. They are both at diffrent sites.
View 4 Replies
View Related
Oct 20, 2012
Is it possible to restrict the Remote Access VPN to ASA based on the Source Public IP , if so how ? here I am not talking about the VPN-Filter under group-policy . I Want to restrict the access from specified source IP (Public IP)
View 1 Replies
View Related
Nov 29, 2012
best way to migrate to a new pool for remote access DHCP address assignment. We are currently using a /24 pool, allowing us 253 IP Addresses... during the recent hurricane we hit 250 IP Addresses used, and had to start asking users to connect to our backup ASA VPN device in another country, not an ideal solution. I'd like to expand our current VPN subnet to a /23, however I do not have a free /24 subnet above (or below) our current /24 subnet.
I can certainly allocate a new /23 subnet, but I am looking for the best migration plan with minimal downtime (no downtime would be preferred). Can I just add the new pool range to the tunnel-group RAVPN general-attributes section alongside the current pool, or should I just remove the old pool, log off all existing remote access VPN users and have them log on again to start using the new pool?We are running ASA Version 8.2(1).
View 2 Replies
View Related
Sep 19, 2011
We have an Active/Active ASA 5520 setup, as i know in Active/Active setup there is no remote VPN access, So i could overcome this limitations?I have a solution but i dont know if it is ablecable or not? we have a spare ASA 5510, so i can use it behind Active/Active Firewalls and assign a public static NAT IP address to it and open all IPSEC and VPN ports and let the remote users to connect to it, is this ablecable setup or not?
View 1 Replies
View Related
Apr 5, 2011
Our customer has an ASA5520 Security appliance, I have already config the remote vpn in asa , user can logon via internet by vpn client and can access internal network,customer hope us can make some configuration if the remote user logon asa by vpn and notify them someone login their vpn by email .
View 2 Replies
View Related
Jun 26, 2012
I have a client who has asked me to "optimize" their network.They currently have a few shared folders that everyone can see, but what they want is to restrict access to some of the computers on the network.More specific,they don't want the receptionist and the backroom workers to have access to those shared folders while the rest of the employees (the bosses) do have access to those folders.They have 2 computers with Windows 7, 2 computers with Windows XP, and a mac.
View 4 Replies
View Related
Mar 18, 2013
As an example, I have 3 computers on a home network:
Machine A
Machine B
Machine C
What I would like to do is isolate "Machine C", so that it cannot communicate with "A" or "B" and vice versa. It should be an entirely separate entity.
Let's say I'm using a Linksys E4200. Is there a good way to configure the above scenario with the default firmware? Is it possible with non-default firmware such as DD-WRT or Tomato? I do not have experience with this but have no problem learning.
My understanding is that this can be done by placing "Machine C" in the DMZ. Unfortunately, I am told a lot of home routers do not have a secure way of setting up DMZ by default. The two routers solution can work but still requires restricting administrative access from "Machine C" and adds an additional potential point of failure.
View 2 Replies
View Related
Aug 19, 2012
we wish to implement IPSec remote access vpn with the condition that employees should be able connect to this vpn only from company issued laptops and not from any other computers. I assume using client side certs is one of the ways to do it but I couldn't find any doc that was really useful. Cisco's documentation seems quite obscure. We are on 8.1 (5520)
View 2 Replies
View Related
May 22, 2013
i configured a remote VPN on cisco ASA 5520 and everythings seems to be working fine...DHCP IP were been lease to users that connect to the VPN. but the issue now is that our customer want a static IP to be given to a particular user when he connect via VPN.
View 1 Replies
View Related
Apr 25, 2012
I have roughly 50 users that are remote, and use VPN to access the resources in my network such as file servers, application servers etc. We currently use Microsoft VPN to authenticate those users. It works, but I am not a fan on Microsoft VPN.
I have purchased an ASA5520 to replace my crappy layer 3 HP core backbone switch, and plan on replacing my Microsoft VPN with Cisco VPN. I want to configure my ASA so my remote users can continue to VPN into my network securely?Is this possible?
View 8 Replies
View Related
Mar 18, 2012
We are trying to add an additional LAN-to-LAN IPsec VPN to our network. We currently have one remote office connected, when we configure the second VPN matching the first the tunnel never begins to establish. There is an ACL that is dening the static IP for our remote office.
The layout is as follows:
Main office = ASA 5520
Remote Office A = ASA (Unknown Model)
Remote Office B = Adtran Router
All devices have static IP addresses.
We used the ASDM VPN wizard to create both VPN's.
We have created a rule allowing all traffic from our remote office IP, and that had no effect on the VPN aside from eliminating the following message from our logging:
4 Mar 19 2012 15:18:01 106023 67.50.19.230 50234 TWT-hq-e 31326 Deny udp src TWT-outside:67.50.19.230/50234 dst inside:TWT-hq-e/31326 by access-group "outside-in" [0x0, 0x0]
We have verified that both sides are configured the same however the VPN never is initiated so as of right now the ASA is simply blocking all attempts from our remote office to connect.
View 1 Replies
View Related
May 7, 2012
I have created remote access vpn in my ASA 5505. The tunnel is established but i am not able to access the internal network.
View 3 Replies
View Related
Sep 1, 2012
Does LMS 4.1 support some way of restricting access to its web GUI to specific IP list?
View 2 Replies
View Related
Mar 6, 2011
In our neighborhood we have about 10 residents on a LAN controlled by 1 resident. For connection I have a LAN modem which connects wirelessly to an aerial at resident 1. I have 2 computers one with Win 7 Ultimate and one with XP SP3. Thinking incorrectly that I was setting up a home network, in trying to get my 2 PC's to talk to one another I have permissions set up for everyone on both machines. However I have discovered that now all 10 residents can see my 2 PC's. While I can see both PC's from either machine, in trying to change the "Everyone" to restrict access to the names of each of the 2 pcs only, I can only see users and Administrator on that particular machine only and cannot add a user/name of the other PC. How can I stop the other residents from seeing my machine but allow me to see either of my machines from one another?
View 5 Replies
View Related
Apr 23, 2011
. In our neighborhood we have about 10 residents on a LAN controlled by 1 resident. For connection I have a LAN modem which connects wirelessly to an aerial at resident 1. I have 2 computers one with Win 7 Ultimate and one with XP SP3. Thinking incorrectly that I was setting up a home network, in trying to get my 2 PC's to talk to one another I have permissions set up for everyone on both machines. However I have discovered that now all 10 residents can see my 2 PC's. While I can see both PC's from either machine, in trying to change the "Everyone" to restrict access to the names of each of the 2 pcs only, I can only see users and Administrator on that particular machine only and cannot add a user/name of the other PC.
View 2 Replies
View Related
May 13, 2013
I have joined my ACS box to the domain and can auth users in active directory groups. I thought about this somewhat and would prefer to only use AD users in ACS groups. Is this possible, I can only seem to do local users in local groups and AD users in AD groups.Many people have access to AD so I don't want anyone to be able to move users in and out of AD groups and get access to equipment.
View 5 Replies
View Related
Sep 13, 2011
Client: CISCO VPN Client
VPN server: Cisco Concentrator 3020 OS v 4.7
I want to get away from configuring split tunneling for security reasons. With Split tunneling and I am able to specify to which subnets the clients have access to. I do it defining "Network Lists"
When I modify the group and select "tunnel everything" under "client config" tab, the users then can access all subnets in the LAN. When I select this option the "Split tunneling network list" is grayed out
End goal is to make all traffic go thru the tunnel but be able to resctrict access to speficic subnets.
View 1 Replies
View Related
Dec 13, 2012
Is it possible to deny VPN access to specific AD accounts?
Currently setup with 5520, LDAP authentication for VPN users.
View 3 Replies
View Related
May 28, 2011
got myself the Netgear internal PCI wifi adapter today & it works just fine on my Windows XP SP3 desktop.
The only problem I have is the question of restricting access to kids @ home. If it was an external USB adapter, I could have just taken it away but the concern is the device being an internal & always available one. The user configuration on the PC is such that there is 1 main administrator (The actual windows "administrator" account) that no one uses. Apart from that,
- 1 user with admin privileges (me)
- 1 limited account for the kid
- 1 admin privilege account for the kid again (for purposes like installation of games which require an admin account as mandatory)
I would like for the wifi PCI card to work only when I login to my account. There must be someway by which I could disable the device or make the internet inaccesible in the other accounts,, (but pls bear that 1 of the account that the kid uses also has admin privilege)
I tried disabling the device from control panel but in vain.. (tried something like the sys admins do in corporates ..) disabling the usb ports on the PC's in my office..!
View 14 Replies
View Related
Jul 31, 2012
We're planning to ope a coffee house for teens at my church. We want the internet to be accessible to them but want to restrict what sites they can access so homework, games, etc. can be accessed but not the stuff rated for violent, rrisky behaviors.
View 1 Replies
View Related
Sep 29, 2012
How to restrict inernet access in wire lan. There is 10 nos. system are connected with lan. For lan connection we are using D-link ethernet switch.
View 1 Replies
View Related
Aug 30, 2011
Have a new DIR-825 setup at home for coverage to another part of the house. I want to completely restrict clients using this WAP from accessing a couple internal IP's (that I use for work-related things). Restriction meaning filesharing, ping, RDP, etc - everything. Can this be done on the router side?
View 3 Replies
View Related
Sep 27, 2012
i want my ASA 5505 8.2(5) to access my proxy server on remote lan through VPN my VPN is OK, all PCs of local network can access to remote network.but ASA on local network can't access to remote network.i think it's a NAT problem but ....
local network 192.168.157.0/24 local IP ASA 192.168.157.1
remote netword 10.28.0.0 /16
remote proxy 10.28.1.26
my conf
[code]....
View 1 Replies
View Related
Oct 12, 2011
We will be opening a shop with a number of computers available to the public connected to the Web via one ISP with fixed IP using a RV220W router.
We wish to restrict web access to our company's web site only, say 'OurCompany.com'; how can we code this in the router?
View 4 Replies
View Related
Jul 5, 2011
I would like to restrict Internet traffic (HTTP & HTTPS) for Inside Users with an ASA 5505. I would like to setup a proxy-like system where a User/Password must be entered before the User can actually browse the web.
I know that this can be done with an additional RADIUS/TACACS+ Server. Is this also possible without any external AAA Server, so with User/PW stored on the ASA locally only?
View 1 Replies
View Related
Apr 15, 2013
We have purchased an RV110W and I need to restrict internet access to the entire internet with the exception of 4 websites that are required for employees to do their jobs. I need to do this on 3 specific machines, not the entire network. I have looked at the internet access and schedule management pages of the router and just can seem to figure out how to do this.
View 8 Replies
View Related
Feb 20, 2013
cisco 2651xm router
IOS: c2600-ipbasek9-mz.124-15.T14.bin
I have a 16 port hub (NM-16ESW) installed in this router. Is there a way to lock down this hub so that only whitelisted machines will be allowed to connect to its ports? ie: by mac address or some other type of permission method? How to be able to plug their computer into the hub and join the network unless their device has been ok'd first.
View 12 Replies
View Related
Feb 13, 2011
I've been using "Linksys by Cisco Wireless-N Home ADSL2+ Modem Router WAG120N". I can restrict internet access to only 8 computers using their Mac adresses but there are no ore entry fields for Mac adress than 8. What shall I do when I need to block internet access to more than 8 computers say 20 computers on wired LAN? I don't like the option blocking the internet access via IP address. I found they are not that effective as the option Mac adress
View 1 Replies
View Related
Nov 18, 2012
How can I restrict wireless access to specific devices? Ideally, I would like to turn the access off and on to restrict my children's usage when we're not around or when they try to sneak on during the night.
View 5 Replies
View Related
Sep 23, 2011
I am trying to configure remote access VPN to my network, i have a Cisco ASA 5510 IOS 7.0(7).
I configured the VPN using ASDM 5.0.9 and below is the configuration received:
access-list 90 extended permit ip 192.xxx.xxx.0 255.255.255.0 192.xxx.xxx.248 255.255.255.248
access-list ClientVPN_splitTunnelAcl standard permit 192.xxx.xxx.0 255.255.255.0
ip local pool VPNIpPool 192.xxx.xxx.250-192.xxx.xxx.252 mask 255.255.255.0[code].....
View 5 Replies
View Related
Mar 14, 2011
I am trying to build a remote vpn in ASA 5520 Software Version 8.3(1). I am using ASDM 6.3(1) for the configuration. I went through the SSL VPN wizard and did the configuration. I tried connecting to the ASA using anyconnect VPN and I could successfully connect the VPN. My home laptop takes an IP 192.168.60.21 (which I have defined in the wizard). Now my issue is, I can't access any office internal network from this laptop (none of the internal IP is ping ing even). Meanwhile, I could ping and rdp to this laptop(which is connectd by anyconnect VPN) from my office network. One thing I noticed is that when I give a traceroute to an internal IP from the laptop, the first hop goes to my home ISP router.
View 8 Replies
View Related
