access-list for remote access vpn users

Ibrahim Jamil · ‎04-06-2011

Hi Folks

How to designate access-list for the remote access vpn users in order to let them access specific subnet or host,

asa 5510 and acs is in the picture

Jennifer Halim · ‎04-06-2011

You can configure "vpn-filter" access-list to allow them to only access specific subnets.

The ACL will say: from

You can also add TCP or UDP port to the access list.

The ACL is then applied to "vpn-filter" then to the specific group-policy.

Here is the command for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1630190

Hope that helps.

Ibrahim Jamil · ‎04-06-2011

Hi Halim

thanks for your reply

but my freind every time the vpn user get other ip for the same pool, however i need full access to other user connected

Jennifer Halim · ‎04-06-2011

If you are using ASA local database as the authentication server, you can configure specific IP Address for that user.

Then you can create multiple vpn-filter accordingly, and assign the vpn-filter to the group-policy, and lastly, assign that group-policy to the user.

You can just create specific IP Address, vpn-filter, group-policy for the user that you want more restricted access, and leave the rest as what is currently configured.

Just make sure that the ip address that you assign to the user does not overlap with the ip pool that you have created.

Hope this helps.

Ibrahim Jamil · ‎04-06-2011

Hi Halim

i m using ACS for authentication , now how?

thanks for sharing the knowledge

Bastien Migette · ‎04-06-2011

Hi Ibrahim.

In ACS, set the radius attribute 25 (class) to: 'OU=GROUP_POLICY_NAME;'

Then define a group policy called GROUP_POLICY_NAME on your asa with the correct vpn filter.

Alternately, you may have a vpn-filter attribute that you can configure in ACS. Check the interface configuration, and radius VPN3000/ASA.

Hope this help.

Ibrahim Jamil · ‎04-07-2011

hi,can u please paste a sample for the configuration based on the below input

also my pool its like 172.16.30.100 - 172.16.30.200

the destination address witch i want to be restricted for specific users its 172.16.50.0/24

i forgot to mention that we are using client full vpn

thanks in advance

Bastien Migette · ‎04-07-2011

Go in Interface Configuration, Advanced Settings on ACS, and check "Per-user TACACS+/RADIUS Attributes"

then in Interface Configuration, Radius IETF, check "[025] Class" for User (assuming you want per user policies. If you want to make a policy for a group of users, just edit the group of the user instead of the user in ACS)

Edit your user, and modify the attribute 25: (OU=MyGp;)

and then create the group policy on the asa:

access-list MyGpFilter extended permit ip any host 1.2.3.4

group-policy MyGp internal
group-policy MyGp attributes
vpn-filter value MyGpFilter

This will indicate the ASA that the user should use the group policy MyGp, and the group policy define a VPN Filter.

Ibrahim Jamil · ‎04-07-2011

thanks bastien

Ibrahim Jamil · ‎04-09-2011

hi again

my users will be resided in active directory,so now what the config will be? my manger wont accept users in the acs , now how to do it?