Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Into Specific Subnetworks

Hello All,

Im trying to set this up in my test environment before I tell a friend they can do this.

Lets say we have a router, 7204 w/ NPE-200.

FA0/0 is configured with a /28 from an ISP

FA1/0 is configured with multiple /24's for internal use (10.5.0.0/24 for example).

Each subnetwork (10.[1-5].0.0/24) has separate systems connected to the router for NAT translation, trunked over 802.1q into a switch, where that is transported over to servers.

We want to create a Remote Access scenario in which a user will be able to connect and their laptop/desktop will be assigned the correct subnetwork they are allowed access to. BUT if we cant do that, then we are ok with creating our own "VPN Subnetwork," where the user receives an address of 10.99.0.0/24 but comes in the question of locking down that specific user to networks (and possibly hosts) he should have access to.

Heres what I have been able to gather.

1) Local Authentication will work, but AFAIK you cant specifiy ACLs for specific users once they are connected?

2) RADIUS/TACACS/AAA maybe our best bet of customizing the per-user connections.

Let me know how I should approach this remote access scenario.

Thanks,

Israel

3 REPLIES

Re: VPN Into Specific Subnetworks

Israel,

The below link explains how to configure the ASA for downloadable ACl's per user using a RADIUS Server.

http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html#wp1043722

HTH.

New Member

Re: VPN Into Specific Subnetworks

.

New Member

Re: VPN Into Specific Subnetworks

Hi,

just a thought on point 1)Local Authentication

You can apply an ACLs to a group-policy, the group-policy to a connection profile and the connection profile or the group-policy to a local user:

username myuser attributes

vpn-group-policy mygrouppolicy

group-lock value myconnectionprofile

service-type remote-access

Regards

D.

503
Views
0
Helpful
3
Replies
CreatePlease to create content