Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1194
Views
5
Helpful
4
Replies

Limit access to an user connected in vpn client

Go to solution
pugliededaniele88
Level 1
Level 1

‎11-03-2017 08:00 AM - edited ‎03-12-2019 04:41 AM

Dear all,

I configured on a 877 router a vpn remote access for vpn client. I want limit the access for an user to a only ip address on the lan network. Can anyone help me to do this ?

 

I followed this guide to configure the vpn :

 

https://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html

 

 

Thank you,


Daniele

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mikael.lahtela
Level 4
Level 4
In response to pugliededaniele88

‎11-03-2017 09:10 AM

Top of my head one way to solve this is to have different group authentication for each user (group).
But not this will be a pain if you need many groups.
With Anyconnect you can use downloadable access list.

crypto isakmp client configuration group vpnclientA
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
acl 101
!
crypto isakmp client configuration group vpnclientB
key cisco456
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
acl 102
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.1.1 0.0.0.0 192.168.1.0 0.0.0.255

br, Micke

View solution in original post

4 Replies 4

Go to solution
mikael.lahtela
Level 4
Level 4

‎11-03-2017 08:49 AM

Hi,

Not sure if I understand your question, do you want to allow different networks for different users?

If you want to limit access to a specific LAN for all users you can modify following row.
This ACL will tell what traffic is sent and encrypted in the tunnel, rest of the traffic is sent outside the vpn tunnel from the client.
In following example 192.168.0/24 from client only 10.10.10.0/24 is sent through the tunnel.

!--- Configure the interesting traffic to be encrypted from the VPN Client !--- to the central site router (access list 101). !--- Apply this ACL in the ISAKMP configuration.
access-list 101 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

br, Micke
0 Helpful

Go to solution
pugliededaniele88
Level 1
Level 1
In response to mikael.lahtela

‎11-03-2017 08:52 AM

Hi @mikael.lahtela Thank you for your reply but I want to limit access only to one user.

for example I have 2 user:

 

user A

user B

 

User A can access to all ip address in the subnet

User B can access only to ip address 192.168.1.1

 

 

0 Helpful

Go to solution
mikael.lahtela
Level 4
Level 4
In response to pugliededaniele88

‎11-03-2017 09:10 AM

Top of my head one way to solve this is to have different group authentication for each user (group).
But not this will be a pain if you need many groups.
With Anyconnect you can use downloadable access list.

crypto isakmp client configuration group vpnclientA
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
acl 101
!
crypto isakmp client configuration group vpnclientB
key cisco456
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
acl 102
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.1.1 0.0.0.0 192.168.1.0 0.0.0.255

br, Micke

Go to solution
pugliededaniele88
Level 1
Level 1
In response to mikael.lahtela

‎11-03-2017 09:19 AM

Thank you :)
0 Helpful
Customers Also Viewed These Support Documents