Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN 3015 restricting where users can go

We have a Cisco VPN Concentrator 3015 working just fine using our Cisco ACS to authenticate clients VPNing into our network through broadband. We are in the process of outsourcing all our dial-up connections to another provider, requiring the user to then VPN into our network once dialed into the new ISP’s network (I know not a good way to provide speed). What I need to do is use the VPN concentrator (or ACS) to restrict where the VPN users can go on the network (the two options are Internet, Email, internal applications OR just Internet). These restrictions are presently in place for our current dial-up users (into our network - that are going away) through an ACL on the 5200s. Since this step is being eliminated altogether (and the 5200s) through outsourcing the dial-up connections – can this be easily done on the concentrator once the user launches the VPN client to gain access to our network? I’m not authenticating anyone on the concentrator at this point – just using the ACS. I certainly hope this makes some sense. Any suggestions are welcome! Thanks, Lisa Smith

Cisco Employee

Re: VPN 3015 restricting where users can go

Under the group settings on the VPN3000 there's an option to define a filter for that group, this defines where the users can (and cannot) go on the internal network.

The following sample config shows how to configure the filter and assign it to a group, and even how to assign it to specific users via the Radius server if you like:

New Member

Re: VPN 3015 restricting where users can go

Thanks. This is what I needed to put point me in the right direction. Lisa