03-16-2017 05:34 AM
Is is possible to create an ACL (standard) and assign it to a particular VPN user? This way they will only have access to a few hosts on the network.
I created an ACL and assigned it via the access-class as follows: username xxx access-class 10 password xxx
However they are still able to access all hosts and not only the few that were allowed in the acl.
Any help please? Thanks
03-16-2017 11:47 AM
You apply ACLs via group-policy. You can assign the group-policy to a user in a couple of different ways.
1. Through the dynamic Access Policy
2. The User Profile Policy
3. User Profile policy specifies Group Policy
4. Connection Profile Specifies Group Policy
5. The default policy.
The above is in order of priority. Policies applied at (1) override policies applied at (2) etc. To add a group policy directly to a user:
> username dude10 attributes
> vpn-group-policy POLICY-1
If the user receive a network access policy from the dynamic access policy (either stated or placed in the dfltAccessPolicy, then that policy will override the group policy applied in this manner.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_groups.pdf
03-17-2017 02:22 AM
Is this still applicable on a Cisco 1800 series? or does it have to be an ASA?
03-17-2017 06:13 AM
My reply above was for an ASA. On an IOS router you would create a webvpn context and assign group-policies to a context. I'm not as familiar with SSL-VPN on IOS - we use ASA's.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide