How flexible is ASA VPN auth & split tunnel

Unanswered Question
May 15th, 2007
User Badges:

I have an ASA5520 VPN cluster and I have a requirement to be able to a) assign IPs out of different IP pools for different users b) apply per user split tunnel ACLs c) enforce that only certain users are allowed to access the VPN device itself via telnet and ssh. It doesn't appear that this is possible within the local database, so I assume I have to use TACACS or something, but I still need to know if what I want to do is even possible.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ggilbert Thu, 05/17/2007 - 11:00
User Badges:
  • Cisco Employee,

I will try to answer it to the best.

a. You can assign a dedicated IP address to a user or assign a group policy for the user with the address pool.

b. You can assign filter on the group-policy which in-turn you can tie the user to the group-policy

c. You can use "telnet " or ssh command and be specific about what IP address should the request come from to access the device.

OR as you said, you can use TACACS to assign the user to a specific group and assign specific address.

Hope this answers your questions.




This Discussion