Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
664
Views
4
Helpful
6
Replies

VPN questions

ttl-systems
Level 1
Level 1

‎03-08-2007 09:52 AM

Hi

First I must admit that I'm newb with Cisco firewalls.

I have situation where I have customers servers with public IP address behind ASA 5510. Addresses are not natted. Some Customers wan't to access their server via VPN connection. Do I have to give them a virtual IP that is also public and from the same pool that the ASA inside interface is when they make VPN connection to ASA? ASA inside interface is servers GW. Can I control that that one customer can only access certain server because all servers are on the same VLAN and different customer servers are separated only with protected ports.

Labels:
0 Helpful
6 Replies 6

acomiskey
Level 10
Level 10

‎03-08-2007 11:07 AM

Do I have to give them a virtual IP that is also public and from the same pool that the ASA inside interface is when they make VPN connection to ASA?

No. VPN pool should be different.

Can I control that that one customer can only access certain server because all servers are on the same VLAN and different customer servers are separated only with protected ports.

Yes. You could simply create separate tunnel-groups for each customer, and the traffic defined within that vpn would be to specific servers ip addresses.

kaachary
Cisco Employee
Cisco Employee
In response to acomiskey

‎03-08-2007 04:10 PM

Or...if in case you have to use same tunnel group for all users, you can assign different group policies to different usernames, thus with different split tunnel policies . User based group policy takes precedence over group based group policy.

-Kanishka

0 Helpful

ttl-systems
Level 1
Level 1
In response to acomiskey

‎03-27-2007 05:21 AM

"Do I have to give them a virtual IP that is also public and from the same pool that the ASA inside interface is when they make VPN connection to ASA?

No. VPN pool should be different. "

So when I have for example 11.0.0.0/24 network on my inside interface I can use ip adressess 10.0.0.0/24 in VPN pool? And from there on it's just routing issue?

0 Helpful

acomiskey
Level 10
Level 10
In response to ttl-systems

‎03-27-2007 07:53 AM

Yes, anything other than 11.0.0.0 would be fine.

0 Helpful

ttl-systems
Level 1
Level 1
In response to acomiskey

‎03-27-2007 06:22 AM

Yes. You could simply create separate tunnel-groups for each customer, and the traffic defined within that vpn would be to specific servers ip addresses.

how do I specify the addressess the client can connect to?

0 Helpful

acomiskey
Level 10
Level 10
In response to ttl-systems

‎03-27-2007 08:00 AM

As Kanishka said above, you can have different split tunnel policies defining the traffic to be permitted over the tunnel.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents