03-08-2007 09:52 AM
Hi
First I must admit that I'm newb with Cisco firewalls.
I have situation where I have customers servers with public IP address behind ASA 5510. Addresses are not natted. Some Customers wan't to access their server via VPN connection. Do I have to give them a virtual IP that is also public and from the same pool that the ASA inside interface is when they make VPN connection to ASA? ASA inside interface is servers GW. Can I control that that one customer can only access certain server because all servers are on the same VLAN and different customer servers are separated only with protected ports.
03-08-2007 11:07 AM
Do I have to give them a virtual IP that is also public and from the same pool that the ASA inside interface is when they make VPN connection to ASA?
No. VPN pool should be different.
Can I control that that one customer can only access certain server because all servers are on the same VLAN and different customer servers are separated only with protected ports.
Yes. You could simply create separate tunnel-groups for each customer, and the traffic defined within that vpn would be to specific servers ip addresses.
03-08-2007 04:10 PM
Or...if in case you have to use same tunnel group for all users, you can assign different group policies to different usernames, thus with different split tunnel policies . User based group policy takes precedence over group based group policy.
-Kanishka
03-27-2007 05:21 AM
"Do I have to give them a virtual IP that is also public and from the same pool that the ASA inside interface is when they make VPN connection to ASA?
No. VPN pool should be different. "
So when I have for example 11.0.0.0/24 network on my inside interface I can use ip adressess 10.0.0.0/24 in VPN pool? And from there on it's just routing issue?
03-27-2007 07:53 AM
Yes, anything other than 11.0.0.0 would be fine.
03-27-2007 06:22 AM
Yes. You could simply create separate tunnel-groups for each customer, and the traffic defined within that vpn would be to specific servers ip addresses.
how do I specify the addressess the client can connect to?
03-27-2007 08:00 AM
As Kanishka said above, you can have different split tunnel policies defining the traffic to be permitted over the tunnel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide