Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

truly dynamic VPN, is it possible ?

Consider situation, where you have "central" ASA hosting multiple l2l IPSec tunnels.

Outside Users uses Anyconnect to connect ASA and are granted routing profile they choose.

Is there *any way* to use single AnyConnect group, which would dynamically set needed VPN access list based example ldap group info.

Small example :

l2l tunnel A has tunnel-specific and uses Anyconnect group A, only users on ldap goup XYA are allowed

l2l tunnel B has tunnel-specific and uses Anyconnect group B, only users on ldap goup XYB are allowed

if end user has right to connect group A and B (belongs to groups XYA and XYB) , can this be dynamically managed ?

Real world case holds hundreds of split-tunnels, this is just simple example and question, if this is possible or not ?

-jra

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

truly dynamic VPN, is it possible ?

Hi Jari

I'm not entirely sure I understand correctly what you want to achieve but I think you should be able to do so using a single group, and a set of DAP rules.

I.e. one rule that says "if user is member of XYA then apply acl A", another rule "if user is member of XYB then apply acl B" etc.

see

hth

Herbert

2 REPLIES
Cisco Employee

truly dynamic VPN, is it possible ?

Hi Jari

I'm not entirely sure I understand correctly what you want to achieve but I think you should be able to do so using a single group, and a set of DAP rules.

I.e. one rule that says "if user is member of XYA then apply acl A", another rule "if user is member of XYB then apply acl B" etc.

see

hth

Herbert

New Member

This works quite smooth.My

This works quite smooth.

My problems was to understand the fact, taht I must route all available networks to tunnel and then DAP makes ACL, where one can go.

I assume this is simple thing on force tunnel, but as I prefer split-tunnel, this was pain for me to understand.

Anyway, all good, everythings works likes a charm, case closed.

193
Views
0
Helpful
2
Replies