VPN questions

Unanswered Question
Mar 8th, 2007

Hi

First I must admit that I'm newb with Cisco firewalls.

I have situation where I have customers servers with public IP address behind ASA 5510. Addresses are not natted. Some Customers wan't to access their server via VPN connection. Do I have to give them a virtual IP that is also public and from the same pool that the ASA inside interface is when they make VPN connection to ASA? ASA inside interface is servers GW. Can I control that that one customer can only access certain server because all servers are on the same VLAN and different customer servers are separated only with protected ports.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
acomiskey Thu, 03/08/2007 - 11:07

Do I have to give them a virtual IP that is also public and from the same pool that the ASA inside interface is when they make VPN connection to ASA?

No. VPN pool should be different.

Can I control that that one customer can only access certain server because all servers are on the same VLAN and different customer servers are separated only with protected ports.

Yes. You could simply create separate tunnel-groups for each customer, and the traffic defined within that vpn would be to specific servers ip addresses.

kaachary Thu, 03/08/2007 - 16:10

Or...if in case you have to use same tunnel group for all users, you can assign different group policies to different usernames, thus with different split tunnel policies . User based group policy takes precedence over group based group policy.

-Kanishka

ttl-systems Tue, 03/27/2007 - 05:21

"Do I have to give them a virtual IP that is also public and from the same pool that the ASA inside interface is when they make VPN connection to ASA?

No. VPN pool should be different. "

So when I have for example 11.0.0.0/24 network on my inside interface I can use ip adressess 10.0.0.0/24 in VPN pool? And from there on it's just routing issue?

ttl-systems Tue, 03/27/2007 - 06:22

Yes. You could simply create separate tunnel-groups for each customer, and the traffic defined within that vpn would be to specific servers ip addresses.

how do I specify the addressess the client can connect to?

acomiskey Tue, 03/27/2007 - 08:00

As Kanishka said above, you can have different split tunnel policies defining the traffic to be permitted over the tunnel.

Actions

This Discussion