Re: Secure remote access VPN with ASA

andy-gerace · ‎02-28-2006

I am terminating VPN connections on an ASA and want to set up some sort of ACL or something that will only allow the clients to connect to IP ranges that I specify.

If it were a L2L VPN, I could use the match address, but since it's a dynamic map, how do I specify what these clients have access to and what they don't? Thanks!

smahbub · ‎03-06-2006

Learn to use the SSL VPN feature to give users increased mobility and flexibility for VPN access by enabling them to establish secure remote-access VPN tunnels to an ASA using only a Web browser. After a brief explanation of SSL VPN and how it compares to traditional VPNs, watch a demonstration of how to configure the ASA to support the SSL VPN feature set.

www.cisco.com/application/pdf/en/us/ guest/products/ps6120/c1031/cdccont_0900aecd8033abef.pdf

r.vdoever · ‎05-29-2006

You probably already solved this, but here goes:

tunnel-group VPN-GROUP general-attributes

address-pool VPN-POOL

authentication-server-group RADIUS

default-group-policy VPN-Policy

group-policy VPN-Policy attributes

vpn-filter value Client-Filter-VPN

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel-VPN

Then define an access-list Client-Filter-VPN which defines what the VPN-users (source-address from VPN-POOL) may connect to.

andy-gerace · ‎05-30-2006

Yes, I did figure that out already. Your answer is exactly what I ended up doing. It just seemed way to simple to be a basic ACL to solve this problem. I over-thought it :-)