Multiple VPN groups on the ASA firewall

Answered Question
Aug 27th, 2010
User Badges:

I have a remote VPN configured in my ASA firewall with a VPN group of users configured on the external ACS. The group called VPNASA authenticate thru the ACS server and the ip pool server is on the ASA firewall. Now my boss asked me to configure a second VPN group called VPNSALES on the ACS server for the same remote VPN on the ASA firewall. How do I configure the ASA firewall to accept both group and authenticate to the same ACS server ? I have never done this before so I need help.


Thanks so much !

Correct Answer by manish arora about 6 years 10 months ago

Hi ,

all that you need to do is to create another group policy and attach it to a tunnel group :-


group-policy vpnsales internal

group-policy vpnsales attributes

banner -- VPN access for sales team

dns-server value x.x.x.x

split-tunnel policy tunnelspecified

split-tunnel-network-list value split-sales

address-pools sales-pool

default-domain-value mydomain.com


tunnel-group vpnsales type remote-access

tunnel-group vpnsales general-attributes

authentication-server-group vpnsales

default-group-policy vpnsales

tunnel-group vpnsales ipsec-attri

pre-share-key @@@@


you will also create an attribute map named vpnsales for acs auth.


Thanks

Manish

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
manish arora Fri, 08/27/2010 - 09:31
User Badges:
  • Silver, 250 points or more

Hi ,

all that you need to do is to create another group policy and attach it to a tunnel group :-


group-policy vpnsales internal

group-policy vpnsales attributes

banner -- VPN access for sales team

dns-server value x.x.x.x

split-tunnel policy tunnelspecified

split-tunnel-network-list value split-sales

address-pools sales-pool

default-domain-value mydomain.com


tunnel-group vpnsales type remote-access

tunnel-group vpnsales general-attributes

authentication-server-group vpnsales

default-group-policy vpnsales

tunnel-group vpnsales ipsec-attri

pre-share-key @@@@


you will also create an attribute map named vpnsales for acs auth.


Thanks

Manish

jeanaguemon Tue, 08/31/2010 - 07:23
User Badges:

Thanks. That did the trick and it is working. Thanks a lot !!

terrygwazdosky Fri, 08/27/2010 - 09:30
User Badges:

You can create seperate tunnel groups and policies on the ASA.  If you are managing all restrictions on the ACS then you don't really need to do this.


I have 2 VPN groups on my ASA.  "VPN" is for regualr users and "NetOps" is for engineers.  I also have several groups on the ACS and manage restrictions with downloadable access lists.

Actions

This Discussion