Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How flexible is ASA VPN auth & split tunnel

I have an ASA5520 VPN cluster and I have a requirement to be able to a) assign IPs out of different IP pools for different users b) apply per user split tunnel ACLs c) enforce that only certain users are allowed to access the VPN device itself via telnet and ssh. It doesn't appear that this is possible within the local database, so I assume I have to use TACACS or something, but I still need to know if what I want to do is even possible.

Cisco Employee

Re: How flexible is ASA VPN auth & split tunnel

I will try to answer it to the best.

a. You can assign a dedicated IP address to a user or assign a group policy for the user with the address pool.

b. You can assign filter on the group-policy which in-turn you can tie the user to the group-policy

c. You can use "telnet " or ssh command and be specific about what IP address should the request come from to access the device.

OR as you said, you can use TACACS to assign the user to a specific group and assign specific address.

Hope this answers your questions.