Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN questions

Hi

First I must admit that I'm newb with Cisco firewalls.

I have situation where I have customers servers with public IP address behind ASA 5510. Addresses are not natted. Some Customers wan't to access their server via VPN connection. Do I have to give them a virtual IP that is also public and from the same pool that the ASA inside interface is when they make VPN connection to ASA? ASA inside interface is servers GW. Can I control that that one customer can only access certain server because all servers are on the same VLAN and different customer servers are separated only with protected ports.

6 REPLIES
Green

Re: VPN questions

Do I have to give them a virtual IP that is also public and from the same pool that the ASA inside interface is when they make VPN connection to ASA?

No. VPN pool should be different.

Can I control that that one customer can only access certain server because all servers are on the same VLAN and different customer servers are separated only with protected ports.

Yes. You could simply create separate tunnel-groups for each customer, and the traffic defined within that vpn would be to specific servers ip addresses.

Cisco Employee

Re: VPN questions

Or...if in case you have to use same tunnel group for all users, you can assign different group policies to different usernames, thus with different split tunnel policies . User based group policy takes precedence over group based group policy.

-Kanishka

New Member

Re: VPN questions

"Do I have to give them a virtual IP that is also public and from the same pool that the ASA inside interface is when they make VPN connection to ASA?

No. VPN pool should be different. "

So when I have for example 11.0.0.0/24 network on my inside interface I can use ip adressess 10.0.0.0/24 in VPN pool? And from there on it's just routing issue?

Green

Re: VPN questions

Yes, anything other than 11.0.0.0 would be fine.

New Member

Re: VPN questions

Yes. You could simply create separate tunnel-groups for each customer, and the traffic defined within that vpn would be to specific servers ip addresses.

how do I specify the addressess the client can connect to?

Green

Re: VPN questions

As Kanishka said above, you can have different split tunnel policies defining the traffic to be permitted over the tunnel.

137
Views
4
Helpful
6
Replies