09-21-2010 06:06 AM
Hello,
I have on my Cisco ASA 5510 VPN clients working perfectly. The thing is that now i want to create a new profile or tunnel group in order to create new ACL cause i want to restrict only for some hosts. But i dont know if i can do that under the same IP pool. If the answer is yes how could i link the new tunnel group to the correct ACL.
This is my config:
access-list vpnxxxx extended permit ip any 192.168.125.0 255.255.255.0
ip local pool ippool 192.168.125.10-192.168.125.254
nat (outside) 1 192.168.125.0 255.255.255.0
nat (inside) 0 access-list vpnxxxx
aaa-server RADIUS protocol radius
aaa-server partnerauth protocol radius
aaa-server partnerauth (inside) host xxxx.xxxx.xxxx.xxxx
key xxxx
crypto dynamic-map dynmap1 20 set transform-set myset1
crypto dynamic-map dynmap1 20 set security-association lifetime seconds 28800
crypto dynamic-map dynmap1 20 set security-association lifetime kilobytes 4608000
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
group-policy RA-VPN internal
group-policy RA-VPN attributes
dns-server value 172.16.1.100
vpn-idle-timeout 30
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
split-tunnel-policy tunnelspecified
tunnel-group RA-VPN type remote-access
tunnel-group RA-VPN general-attributes
address-pool ippool
authentication-server-group (outside) partnerauth
default-group-policy RA-VPN
tunnel-group RA-VPN ipsec-attributes
pre-shared-key *
Thanks
Solved! Go to Solution.
09-21-2010 06:51 AM
The command is "vpn-filter" in the policy-group section.
Define a policy group for each tunnel group, and select it with "default-group-policy" in the tunnel section.
09-21-2010 06:21 AM
I don't see why not.
Here we don't use pools; we use scopes and a DHCP server. The two RADIUS attributes we send back for the scope and the filter are independent of each other, so we could assign from the same scope with a different filter ACL easily if we wanted to.
09-21-2010 06:38 AM
Julin,
I dont see how can i link the tunnel group with the ACL.
For example if i declare a new ACL
access-list newvpn extended permit ip host 172.16.1.198 192.168.125.0 255.255.255.0
then in the new tunnel group there is no place where i can link to that ACL.
Do you know what i mean ?
09-21-2010 06:51 AM
The command is "vpn-filter" in the policy-group section.
Define a policy group for each tunnel group, and select it with "default-group-policy" in the tunnel section.
09-23-2010 12:46 PM
Thanks Julin !. That was the command i was looking for. Appreciate !
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide