Re: Is it possible to limit on a few hosts access to VPN with Sp

gkonheiser · ‎09-09-2013

I have an EZVPN client config on my 2821 that I would only like to give access to a few host of my LAN. The remaing hosts should all use the default route. Is this possible with Split-tunneling, everything Ive read so far says it can only be done on a sub-net basis? If not is there another way to achieve this?

Markus Thun · ‎09-09-2013

It is possible to implement an access control list to deny the access through the vpn for a host.

Kasiraman S · ‎09-09-2013

Cay you make it bit clear. Would you like the EzVPN client to access THEIR local LAN when connected via Cisco VPN client??

And other set of users should route all the traffic to the Cisco 2821 when connected to the vPN???

gkonheiser · ‎09-09-2013

Hi, firstly thanks for replying.

My 2821 is connecting to a VPN provider with EZ VPN Client. I want 4 or so hosts to access the internet thou the VPN and my other hosts to use the local outside interface, default route.

I tryed this config but it didnt work:-

I created a group for the hosts I wanted to route thou the VPN,

object-group network VNPCLIENTS

description HOSTS ALLOWED ACCESS TO THE VPN

host 192.168.3.204

host 192.168.3.42

host 192.168.3.44

host 192.168.3.202

host 192.168.3.43

created an access list with the the group,

access-list 101 remark VPN ACCESS

access-list 101 remark CCP_ACL Category=1

access-list 101 remark Hosts allowed access to VPN

access-list 101 permit ip object-group VNPCLIENTS any

and applied it to the crypto ipsec client,

crypto ipsec client ezvpn CISCOCP_EYVPN_CLIENT_1

connect auto

mode client

acl 101

xauth userid mode interactive

Apreciate any help getting this cleared up.

Shaoqin Li · ‎09-09-2013

not sure if router support this, on asa you can use radius to return the tunnel group / group policy

Sent from Cisco Technical Support iPhone App

Is it possible to limit on a few hosts access to VPN with Split-tunneling