Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to limite VPN Groups access to the local LAN

Hi everyone ...


We have a VPN server created by CCP on cisco 2801 router, we have two VPN Groups VPN_1 and VPN_2.


VPN_1 users must be able  to access only server 

and the VPN_2 users must be able to  access only 



crypto isakmp client configuration group VPN_1
 key xxxxxxxxxxxxx
 dns 192.168.0.x
 pool SDM_POOL_1
 acl 114
 max-users 10

crypto isakmp client configuration group VPN_2
 key xxxxxxxxxxxxx
 dns 192.168.0.x
 pool SDM_POOL_1
 acl 115
 max-users 10

crypto isakmp profile ciscocp-ike-profile-1
   match identity group VPN_1
   match identity group VPN_2
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address initiate
   client configuration address respond
   virtual-template 1



access-list 114 remark vpn_1
access-list 114 permit ip any host

access-list 115 remark vpn_2
access-list 115 permit ip any host 



But these config. does not work !!, all VPN users can access any host in my private LAN !!

Please help me to solve these issue 





Everyone's tags (1)
VIP Purple

The ACLs (114 and 115) you

The ACLs (114 and 115) you are using are not ACLs that are used for filtering traffic. The logic of these ACLs are a little bit different. The "acl" keyword controls split-tunneling, which is the definition which traffic is sent through the tunnel. Everything that is not specified with a "permit" can be reached in cleartext. With that, only the defined traffic can be reached in the inside network. The definition of the traffic is configured from the viewpoint of the router. You have to specify the traffic that the router want's to see in the tunnel:

access-list 114 permit ip host YOUR-IP-POOL
access-list 115 permit ip host YOUR-IP-POOL

More on the EasyVPN-Server can be found in the config-guide:

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
New Member

give me an example please 

give me an example please 

Hello, On this case Karsten



On this case Karsten Iwen is right on this, though make sure also you have a NAT 0 statement to permit the traffic from the inside servers to the VPN client users.


Please Take a look to this configuration guide:


Don't forge to rate this!




David Castro,


CreatePlease to create content