Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
469
Views
0
Helpful
3
Replies

accesslist per user that logs in by vpn client

m.hierling
Level 1
Level 1

‎04-15-2008 09:46 PM

Hi,

i have the problem finding a similar command on ios. on my asa, responsible for wlan vpn, i have a command like this:

group-policy mygroup attributes

vpn-filter value vpnclient

that applies the access-list vpnclient to every user logs into (Cisco VPN Client). now my vpn from the internet is handled by a 28xx with crypto module and, of course it has ios, everything changed :-( . Can someone please point me to something similar. i took a short look in the ios 12.4 security command refrerence but found nothing.

I want to apply a access-list to every user that logs in by VPN Client.

regards Martin

Labels:
0 Helpful
3 Replies 3

Jon Marshall
Hall of Fame
Hall of Fame

‎04-16-2008 12:38 AM

Martin

2 options spring to mind neither of which may meet your requirements exactly

1) Do you hand out the IP addresses to the VPN clients when they connect to the 2851. If so you could use an access-list that restricts traffic from that subnet/subnets to subnets within your network. This would probably be the easiest way to approach this.

2) You could i you have an ACS use a per-group DACL (Downloadable Access List) which is downloaded to the router. However this would require a lot more setting up/testing than option 1

Jon

0 Helpful

m.hierling
Level 1
Level 1
In response to Jon Marshall

‎04-16-2008 04:18 AM

Jon,

perhaps i should describe the setup in more detail:

i have a ip pool /28 where some service people can log into our network. every company gets its own vpn group/group pass and user. They all get a ip from the same pool but do not have access to the same resources inside our network. at the moment i have only 1 customer so the the access-list on the interface did the job. but now i have to add a 2nd, same ip range but other resources inside our lan. with the access-list all users have access to all resources, what i don't want. So a access-list per vpn group would be the solution. Do you have any information about the downloadable acls?

regards Martin

0 Helpful

d.rocco
Level 1
Level 1
In response to m.hierling

‎12-05-2008 01:54 AM

Hi,

you can associate a vpn group to a tunnel interface and configure an inbound ACL to any tunnel interface:

for example, if you have 10 vpn group, you can create 10 different tunnel interface.

Please rate if helpful!

Diego

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents