Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need Help, I need to Allow a small group of VPN users to a specific DHCP.

I am running a CISCO ASA 5520 ver 8.3(2)  ASDM 6.3(3).  I have a small group of users that need to VPN into a specific DHCP range that I set up on the CISCO ASA 5520.  We are going to use attributes from Active Directory.  I need some help in setting this up.  Any help would be greatly appreciated.
 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

You can do it at least two

You can do it at least two ways.

Since you've already created a new group policy for them, simply edit it so that it only tunnels the networks you wish to allow them to access, In ASDM you would go to Configuration > Remote Access VPN > Network (Client) Access > Group Policies. Select the new policy and choose Edit. In the new window, go to Advanced > Split Tunneling. Choose the Policy "Tunnel Network List Below". Next to Network List click manage and use the dialog box to create an access-list comprised of the networks you want to restrict them to. Click OK, apply etc.

When they log in next using that profile you can confirm they only get routes for the restricted networks (click on AnyConnect gear icon to validate).

The other method you could use is to continue to use the old group profile but put a vpn-filter value on those individual users. (That's setup in the user properties.) They would still get all the routes and be assigned addresses from the same pool as your other users but would have an access-list (invisible to them but effective nonetheless) affecting what addresses they can reach.

These are covered in the Configuration Guide (ASDM 7.x release in the link).

There's a configuration example that's a bit dated but more in keeping with the older menus you might encounter based on your ASDM 6.3(3) version. It's also on the product support page here.

3 REPLIES
Hall of Fame Super Silver

Do you have an existing VPN

Do you have an existing VPN setup working?

If so, is it using the old Cisco IPsec client or the modern AnyConnect Secure Mobility client?

Depending on what type you have (and if you're licensed for AnyConnect = SSL VPN or IPsec IKEv2), the instructions vary.

New Member

We are using the Anyconnect

We are using the Anyconnect Secure.  I have gone a different route.  I created another group policy so when user VPN in they can select which group they can VPN (default or the special one I created).  The one I created has a second authentication username and password.  Once they are in that puts them in the IP range I need them to be in.  Now I just need to restrict them from having access to most of my network.  I am fairly new to the ASA's.  The segment I need to restrict can only have access to the Site to Site VPN that their IP range is part of.  I can ping IP address on the site to site but I don't want them to have any access to the rest of my network.  I am looking for a guide to do this for ASA ver 8.3 ASDM 6.3.

Hall of Fame Super Silver

You can do it at least two

You can do it at least two ways.

Since you've already created a new group policy for them, simply edit it so that it only tunnels the networks you wish to allow them to access, In ASDM you would go to Configuration > Remote Access VPN > Network (Client) Access > Group Policies. Select the new policy and choose Edit. In the new window, go to Advanced > Split Tunneling. Choose the Policy "Tunnel Network List Below". Next to Network List click manage and use the dialog box to create an access-list comprised of the networks you want to restrict them to. Click OK, apply etc.

When they log in next using that profile you can confirm they only get routes for the restricted networks (click on AnyConnect gear icon to validate).

The other method you could use is to continue to use the old group profile but put a vpn-filter value on those individual users. (That's setup in the user properties.) They would still get all the routes and be assigned addresses from the same pool as your other users but would have an access-list (invisible to them but effective nonetheless) affecting what addresses they can reach.

These are covered in the Configuration Guide (ASDM 7.x release in the link).

There's a configuration example that's a bit dated but more in keeping with the older menus you might encounter based on your ASDM 6.3(3) version. It's also on the product support page here.

64
Views
5
Helpful
3
Replies