Design question: I have multiple customers that will be VPNing (RA) into a single ASA. I would like to restrict their network access to a single vlan (subnet) on the ASA. Is this possible? I know it can be done w/ downloadable ACLs w/ ACS, but this is not an option right now.
Instead of using dnld ACL's, I think you could use different ip-local-pool on the ASA for each group defined. Then you'll need to apply the according access-list's to the config.
a group policy with a vpn filter may be configured on asa in order to restrict the access.
further, a vpn filter can be applied on individual user.
Getting Started
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: