I'm trying to map VPN group-policy to users in local database on ASA (Cisco Adaptive Security Appliance Software Version 8.0(4)12). It is Remote access VPN. Is it possible to have one tunnel-group for all remote vpn users and to map different group-policies to different user, so when user is authenticated, his group policy is applied to him (address pool, filter liste, etc)? All my users are getting policy from group-policy which id defined as default policy under my tunnel-group (!?):
ASA# sh run tunnel-group
tunnel-group GROUP1 type remote-access tunnel-group GROUP1 general-attributes
This can be done in a different way - hopefully achieving what you want.
Basically you define tunnel-groups for each of your different VPN Client groups. So lets assume you have 3 client groups and each group has access to different internal resources, the tunnel-groups you create can apply a different IP pool thus allowing you to define different access policies in your group-policy configuration. In essence - you will have 3 tunnel-group configurations and 3 group-policy configurations ie:
ip local pool client1-vpn 10.0.24.1-10.0.24.63 mask 255.255.255.192
ip local pool client2-vpn 10.0.20.64-10.0.24.127 mask 255.255.255.192 ip local pool client3-vpn 10.0.24.128-10.0.24.159 mask 255.255.255.224
Well, what is the purpose of group-policy if any tunnel-group must have ONLY one group-policy applied? So, I cannot have one tunnel group for all users and couple of group-policies which I will applied to users? If I have to do for every group of users new tunnel group, then I can configure address pool and similar stuff under tunnel attributes...Why there is an option to apply group-policy for each user when it cannot be in use when all users connect with the same tuunel group?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...