Answered Question
Jul 22nd, 2010

So with an asa 5520 vpn I have 3 or more vpn comming in

on seprate subnets however the users can log into any of them??? even though it does not set up p

roper ip range and they cant do anything this bothers me any suggestions.

I have this problem too.
0 votes
Correct Answer by Jitendriya Athavale about 6 years 3 months ago

yup you can use group-lock feature

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jitendriya Athavale Thu, 07/22/2010 - 22:06

could you please xplain the prob a little more

what exactly do you mean they can log in any of them

do you mean that they can access any resource over any vpn???

pskipton01 Fri, 07/23/2010 - 04:14

ok, If they have a user name and password for vpn1 they can get loged

on and use the resources in the subnet belonging to that and there connection profile seems to work fine.

If they use the connection VPN2 but are not in the connection profile for that VPN2 they can still use the same username and password for profile VPN1 they have no acces to the resources but they can get the connection no problem?

What it seems to do is give the ip from the connection pool for the username that logs on so they are on the wrong subnet when they connect to a vpn that have np profile on.. I amnot sure but if they went in to their networking and manualy changed their ip to the one on the vlan they dont have a profile on I think that would be able to get at the resources.

pskipton01 Fri, 07/23/2010 - 06:05

Seems like I have found the problem, Lock the user to the vpn group and it stops

them from getting into any other vpn tunnel.


This Discussion