VPN profile (tunnel group) under the same IP pool

Answered Question
Sep 21st, 2010
User Badges:

Hello,

I have on my Cisco ASA 5510 VPN clients working perfectly. The thing is that now i want to create a new profile or tunnel group in order to create new ACL cause i want to restrict only for some hosts. But i dont know if i can do that under the same IP pool. If the answer is yes how could i link the new tunnel group to the correct ACL.

This is my config:



access-list vpnxxxx extended permit ip any 192.168.125.0 255.255.255.0


ip local pool ippool 192.168.125.10-192.168.125.254


nat (outside) 1 192.168.125.0 255.255.255.0

nat (inside) 0 access-list vpnxxxx


aaa-server RADIUS protocol radius

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host xxxx.xxxx.xxxx.xxxx

key xxxx



crypto dynamic-map dynmap1 20 set transform-set myset1

crypto dynamic-map dynmap1 20 set security-association lifetime seconds 28800

crypto dynamic-map dynmap1 20 set security-association lifetime kilobytes 4608000


threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy RA-VPN internal

group-policy RA-VPN attributes

dns-server value 172.16.1.100

vpn-idle-timeout 30

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

split-tunnel-policy tunnelspecified


tunnel-group RA-VPN type remote-access

tunnel-group RA-VPN general-attributes

address-pool ippool

authentication-server-group (outside) partnerauth

default-group-policy RA-VPN

tunnel-group RA-VPN ipsec-attributes

pre-shared-key *




Thanks

Correct Answer by b.julin about 6 years 10 months ago

The command is "vpn-filter" in the policy-group section.


Define a policy group for each tunnel group, and select it with "default-group-policy" in the tunnel section.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
b.julin Tue, 09/21/2010 - 06:21
User Badges:
  • Bronze, 100 points or more

I don't see why not.


Here we don't use pools; we use scopes and a DHCP server.  The two RADIUS attributes we send back for the scope and the filter are independent of each other, so we could assign from the same scope with a different filter ACL easily if we wanted to.

andresitotubia Tue, 09/21/2010 - 06:38
User Badges:

Julin,

I dont see how can i link the tunnel group with the ACL.

For example if i declare a new ACL


access-list newvpn extended permit ip host 172.16.1.198 192.168.125.0 255.255.255.0


then in the new tunnel group there is no place where i can link to that ACL.


Do you know what i mean ?

Correct Answer
b.julin Tue, 09/21/2010 - 06:51
User Badges:
  • Bronze, 100 points or more

The command is "vpn-filter" in the policy-group section.


Define a policy group for each tunnel group, and select it with "default-group-policy" in the tunnel section.

andresitotubia Thu, 09/23/2010 - 12:46
User Badges:

Thanks Julin !. That was the command i was looking for. Appreciate !

Actions

This Discussion