VPN filter with full tunneling

vishnuvichu36601 · ‎06-01-2018

Created a group policy as a full tunnel and I need to configure one user with full tunnel and access only to one server IP address. is it possible in Cisco remote access VPN?

Dennis Mink · ‎06-02-2018

I have never done this, but try, setting up different tunnel groups. It does mean you need multiple vpn aliases. If you want one alias and then provide access beased on user ID, you will need a solution like cisco ISE

For IT:
access-list split-it permit 10.10.10.0 255.255.255.0

group-policy IT-pol internal
group-policy IT-pol attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-it
exit

tunnel-group IT-grp type remote-access-list
tunnel-group IT-grp general-attributes
default-group-policy IT-pol

For User:
access-list split-user permit 10.10.20.0 255.255.255.0
group-policy User-pol internal
group-policy User-pol attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-it
exit

tunnel-group User-grp type remote-access-list
tunnel-group User-grp general-attributes
default-group-policy User-pol

As per the above when users will connect to different tunnel-group they will different group-policy and will have different ACL specified.

l

Please remember to rate useful posts, by clicking on the stars below.

Florin Barhala · ‎06-05-2018

Hi Dennis,

I am not sure how this config will work for "full-tunneling".
Other than that things are as you said:
- either create a dedicated tunnel group for that guy, and give him access to one IP
or
- use Cisco ISE, Windows NPS and make sure each time that user connects receives the SAME IP address; then based on that IP you create an ACL and apply it/use it with vpn-filter ACL feature.