My reply above was for an ASA

CSCO12440497 · ‎03-16-2017

Is is possible to create an ACL (standard) and assign it to a particular VPN user? This way they will only have access to a few hosts on the network.

I created an ACL and assigned it via the access-class as follows: username xxx access-class 10 password xxx

However they are still able to access all hosts and not only the few that were allowed in the acl.

Any help please? Thanks

Michael Beck · ‎03-16-2017

You apply ACLs via group-policy. You can assign the group-policy to a user in a couple of different ways.

1. Through the dynamic Access Policy

2. The User Profile Policy

3. User Profile policy specifies Group Policy

4. Connection Profile Specifies Group Policy

5. The default policy.

The above is in order of priority. Policies applied at (1) override policies applied at (2) etc. To add a group policy directly to a user:

> username dude10 attributes

> vpn-group-policy POLICY-1

If the user receive a network access policy from the dynamic access policy (either stated or placed in the dfltAccessPolicy, then that policy will override the group policy applied in this manner.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_groups.pdf

CSCO12440497 · ‎03-17-2017

Is this still applicable on a Cisco 1800 series? or does it have to be an ASA?

Michael Beck · ‎03-17-2017

My reply above was for an ASA. On an IOS router you would create a webvpn context and assign group-policies to a context. I'm not as familiar with SSL-VPN on IOS - we use ASA's.

Access Lists on VPN username