Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Access Lists on VPN username

Is is possible to create an ACL (standard) and assign it to a particular VPN user? This way they will only have access to a few hosts on the network.

I created an ACL and assigned it via the access-class as follows: username xxx access-class 10 password xxx 

However they are still able to access all hosts and not only the few that were allowed in the acl.

Any help please? Thanks

3 REPLIES
New Member

You apply ACLs via group

You apply ACLs via group-policy.  You can assign the group-policy to a user in a couple of different ways. 

1. Through the dynamic Access Policy

2. The User Profile Policy

3. User Profile policy specifies Group Policy

4. Connection Profile Specifies Group Policy

5. The default policy.

The above is in order of priority.  Policies applied at (1) override policies applied at (2) etc.  To add a group policy directly to a user:

> username dude10 attributes

> vpn-group-policy POLICY-1

If the user receive a network access policy from the dynamic access policy (either stated or placed in the dfltAccessPolicy, then that policy will override the group policy applied in this manner.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_groups.pdf

New Member

Is this still applicable on a

Is this still applicable on a Cisco 1800 series? or does it have to be an ASA?

New Member

My reply above was for an ASA

My reply above was for an ASA.  On an IOS router you would create a webvpn context and assign group-policies to a context.  I'm not as familiar with SSL-VPN on IOS - we use ASA's.

5
Views
5
Helpful
3
Replies