split tunnel based on remote user location

franpena2008 · ‎06-28-2010

Good afternoon,

For remote vpn users, I would like to configure a dynamic vpn split tunnel depending where are they connected.

For example if a remote user is connected to ASA from italy, auth via acs radius server, a split tunnel list will be applied allowing user to access local resources, if the same user is connecting from germany, apply a split tunnel list allowing the local resources for germany office...

is it possible to achieve this? any link or documentation related?

Thanks for your support

Michael Dombek · ‎07-01-2010

Hi their sure you can do this.

If your User conencts you have to assign him a dACL and Shared RAC based on the Network Access Profile and the NAF for your locations.

EG:

create a Network Access Filter for Germany with all your german ASAs one for Italy with all your italian ASAs etc.

create a "Germany" Shared RAC with the important german settings (DNS wins etc)

Create a "Italy" Shared RAC with the settings for Italy

create dACL (for each location)

then go and create a Network access Profile for germany and one for italy - apply the network filter and assign under authorization the dACL and sRAC.

Should work without problems

Maybe have a look here:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/sp.html

HTH

Cheers Michael

franpena2008 · ‎07-01-2010

I am working with ACS appliance v 5.1 for radius authentication/authorization

All clients are connecting to the same central ASA.

I have found in ACS Policy Elements - End station filters - Where I think I can diffrentiate where are the clients located.

Anybody knows if end station filters refer to the clients network or to the asa?

Thnks and best regards

Fran