Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
977
Views
0
Helpful
4
Replies

VPN profile (tunnel group) under the same IP pool

Go to solution
andresitotubia
Level 1
Level 1

‎09-21-2010 06:06 AM

Hello,

I have on my Cisco ASA 5510 VPN clients working perfectly. The thing is that now i want to create a new profile or tunnel group in order to create new ACL cause i want to restrict only for some hosts. But i dont know if i can do that under the same IP pool. If the answer is yes how could i link the new tunnel group to the correct ACL.

This is my config:

access-list vpnxxxx extended permit ip any 192.168.125.0 255.255.255.0

ip local pool ippool 192.168.125.10-192.168.125.254

nat (outside) 1 192.168.125.0 255.255.255.0

nat (inside) 0 access-list vpnxxxx

aaa-server RADIUS protocol radius

aaa-server partnerauth protocol radius

aaa-server partnerauth (inside) host xxxx.xxxx.xxxx.xxxx

key xxxx

crypto dynamic-map dynmap1 20 set transform-set myset1

crypto dynamic-map dynmap1 20 set security-association lifetime seconds 28800

crypto dynamic-map dynmap1 20 set security-association lifetime kilobytes 4608000

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

group-policy RA-VPN internal

group-policy RA-VPN attributes

dns-server value 172.16.1.100

vpn-idle-timeout 30

vpn-tunnel-protocol IPSec l2tp-ipsec webvpn

split-tunnel-policy tunnelspecified

tunnel-group RA-VPN type remote-access

tunnel-group RA-VPN general-attributes

address-pool ippool

authentication-server-group (outside) partnerauth

default-group-policy RA-VPN

tunnel-group RA-VPN ipsec-attributes

pre-shared-key *

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
b.julin
Level 3
Level 3
In response to andresitotubia

‎09-21-2010 06:51 AM

The command is "vpn-filter" in the policy-group section.

Define a policy group for each tunnel group, and select it with "default-group-policy" in the tunnel section.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
b.julin
Level 3
Level 3

‎09-21-2010 06:21 AM

I don't see why not.

Here we don't use pools; we use scopes and a DHCP server.  The two RADIUS attributes we send back for the scope and the filter are independent of each other, so we could assign from the same scope with a different filter ACL easily if we wanted to.

0 Helpful

Go to solution
andresitotubia
Level 1
Level 1
In response to b.julin

‎09-21-2010 06:38 AM

Julin,

I dont see how can i link the tunnel group with the ACL.

For example if i declare a new ACL

access-list newvpn extended permit ip host 172.16.1.198 192.168.125.0 255.255.255.0

then in the new tunnel group there is no place where i can link to that ACL.

Do you know what i mean ?

0 Helpful

Go to solution
b.julin
Level 3
Level 3
In response to andresitotubia

‎09-21-2010 06:51 AM

The command is "vpn-filter" in the policy-group section.

Define a policy group for each tunnel group, and select it with "default-group-policy" in the tunnel section.

0 Helpful

Go to solution
andresitotubia
Level 1
Level 1
In response to b.julin

‎09-23-2010 12:46 PM

Thanks Julin !. That was the command i was looking for. Appreciate !

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents