Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
488
Views
0
Helpful
2
Replies

Create different group with VPN Remote Access

Go to solution
Junior Mateus
Level 1
Level 1

‎04-08-2011 03:48 PM - edited ‎02-21-2020 05:16 PM

Hi everybody,

Last time, i´ve implemented a Remote Access VPN to my network with ASA 5510

I´ve allowed to my VPN an acces to all my Internal LAn


But i want to configure a group of vpn  in the CLI for have different group of user which can access to different server or different network on my LAN.

Example : informatique group------access to 10.70.5.X   Network

                Consultor group -------- access to 10.70.10.X Network

I need to know how can i do that , and if you can give me some eg script for complete this

Here is my configuration :

ASA Version 8.0(2)
!
hostname ASA-Vidrul
domain-name vidrul-ao.com
enable password 8Ry2YjIyt7RRXU24 encrypted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address X.X.X.X 255.255.255.X
!
interface Ethernet0/1
nameif inside
security-level 100
ip address  X.X.X.X 255.255.255.X
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
description Port_Device_Management
nameif Management
security-level 99
ip address  X.X.X.X 255.255.255.X
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
dns server-group DefaultDNS
domain-name vidrul-ao.com
access-list 100 extended permit ip any any
access-list 100 extended permit icmp any any echo
access-list 100 extended permit icmp any any echo-reply
access-list vpn-vidrul_splitTunnelAcl standard permit 10.70.1.0 255.255.255.0
access-list vpn-vidrul_splitTunnelAcl standard permit 10.70.99.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip any 10.70.255.0 255.255.255.0
pager lines 24
mtu outside 1500
mtu inside 1500
mtu Management 1500
ip local pool clientvpngroup 10.70.255.100-10.70.255.200 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-602.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 10.70.0.0 255.255.0.0
access-group 100 in interface inside
access-group 100 out interface inside

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server 10.70.99.10 protocol radius
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.2 255.255.255.255 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 30
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
management-access outside
dhcpd address 192.168.1.2-192.168.1.5 Management
dhcpd enable Management
!
threat-detection basic-threat
threat-detection statistics access-list
!
class-map inspection_default
match default-inspection-traffic
class-map block-url-class
class-map imblock
match any
class-map P2P
match port tcp eq www
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
policy-map IM_P2P
class imblock
class P2P
!
service-policy global_policy global
group-policy vpn-vidrul internal
group-policy vpn-vidrul attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-vidrul_splitTunnelAcl
default-domain value vidrul-ao.com
username test password 274Y4GRAbNElaCoV encrypted privilege 0
username admin password bTpUzgLxalekyhxQ encrypted privilege 15
username admin attributes
vpn-group-policy vpn-vidrul
username suporte password zjQEaX/fm0NjEp4k encrypted privilege 15
tunnel-group vpn-vidrul type remote-access
tunnel-group vpn-vidrul general-attributes
address-pool clientvpngroup
default-group-policy vpn-vidrul
tunnel-group vpn-vidrul ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:d84e64c87cc5b263c84567e22400591c
: end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-09-2011 05:52 PM

What you would need to configure is to mimic the configuration on group-policy and tunnel-group and to configure the network specific access that you require.


Currently you have the following configured:

group-policy vpn-vidrul internal
group-policy vpn-vidrul attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-vidrul_splitTunnelAcl
default-domain value vidrul-ao.com

tunnel-group vpn-vidrul type remote-access
tunnel-group vpn-vidrul general-attributes
address-pool clientvpngroup
default-group-policy vpn-vidrul
tunnel-group vpn-vidrul ipsec-attributes
pre-shared-key *

What you would need is to create new group-policy and new tunnel-group, and configure the split tunnel ACL to allow access to the specific access required.

The user then needs to connect with the new group name and the new pre-share key (password).

Hope that helps.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-09-2011 05:52 PM

What you would need to configure is to mimic the configuration on group-policy and tunnel-group and to configure the network specific access that you require.


Currently you have the following configured:

group-policy vpn-vidrul internal
group-policy vpn-vidrul attributes
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value vpn-vidrul_splitTunnelAcl
default-domain value vidrul-ao.com

tunnel-group vpn-vidrul type remote-access
tunnel-group vpn-vidrul general-attributes
address-pool clientvpngroup
default-group-policy vpn-vidrul
tunnel-group vpn-vidrul ipsec-attributes
pre-shared-key *

What you would need is to create new group-policy and new tunnel-group, and configure the split tunnel ACL to allow access to the specific access required.

The user then needs to connect with the new group name and the new pre-share key (password).

Hope that helps.

0 Helpful

Go to solution
Junior Mateus
Level 1
Level 1
In response to Jennifer Halim

‎04-11-2011 12:33 AM

ok thanks, i' ll try to create another group policy and test it

0 Helpful
Customers Also Viewed These Support Documents