cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to the Cisco Small Business Community

Have a question? Click on a topic board below to get started in the community.

376
Views
0
Helpful
3
Replies
Paul2113
Beginner

RV345: is isolating SSL VPN users to specific VLAN/IP address possible?

Hello All, My company uses an RV345 router, and we have a question regarding separating SSL VPN users. We have several users who use the Anyconnect mobile app to connect to our SSL VPN on their tablets.  It's been working fine for some time, but we now have a new situation. We have a new user who requires the same SSL VPN access via a mobile device, but their access must be isolated to a single IP on one particular VLAN (we're running 5 VLAN's). I've been looking at the SSL VPN server settings, as well as the user/group settings, on the router, but I don't see any way to restrict this new user to a single IP on a particular VLAN. Is there a way to accomplish this that I'm not seeing?  Thank you.

3 REPLIES 3
balaji.bandi
VIP Guru

Not sure these model support more profiles in SSL VPN,  maybe worth trying client to site

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

We considered that, but we never had any luck getting client-to-site to work using the stock Android VPN manager.  SSL using the Anyconnect moblie app has been very reliable for us, so we were really hoping to be able to stick with that.

nagrajk1969
Enthusiast

Hi

 

Ok this is possible and this is how you do it on the RV345

 

1. Lets say you have 4 existing anyconnect user-accounts (user1-to-user4) in usergroup "sslvpngrp1"

2. So now for the new 5th useraccount "user5" which is required to access ONLY say vlan5 network (or a single host in vlan5), you put this user in a new separate usergroup, say named "sslvpngrp2"

 

3. Next in the SSL-VPN server config page, go to "Group Policies" tab and create 2 Policies as below:

 

a) For the existing default policy "sslvpndefaultpolicy", keep your existing config as is with either full-tunnel or split-tunnel

b) Next create/add a new policy and name it "sslvpnpolicy2" and in this policy, configure/enable  "Split-Tunnel" and add ONLY THE VLAN5-SUBNET OR THE SINGLE-HOST IN THIS VLAN5

c) apply and do a apply-save also

 

4. Now, next go to the System-Mgmnt/Usergroups page and do the below steps:

 

Step-1: Edit the usergroup "sslvpngrp1" and for this group in the bottom section of this page, select and add/attach ONLY "sslvpndefaultpoicy" for this usergroup

- apply and save

- So now all users (the 4 existing users1-to-user4) being part of the usergroup "sslvpngrp1" will be applied the "sslvpndefaultpolicy" settings and thus will be able to access whatever has been enabled/set in this sslvpn profile/policy

 

Step-2: Next in the usergroups page, select and edit "sslvpngrp2" in which user5 is included. So for this usergroup, for sslvpn service, select and attach the policy "sslvpnpolic2" from the dropdown list

- apply and save

- So now whenever "user5" establishes the anyconnect sslvpn tunnel to RV345, it will be allowed to access ONLY VLAN5 subnet/host as its binded to "sslvpnpolicy2"

 

hope this helps

regards

 

Create
Recognize Your Peers
Polls
How would you describe your level of technical expertise?