08-27-2010 08:11 AM
I have a remote VPN configured in my ASA firewall with a VPN group of users configured on the external ACS. The group called VPNASA authenticate thru the ACS server and the ip pool server is on the ASA firewall. Now my boss asked me to configure a second VPN group called VPNSALES on the ACS server for the same remote VPN on the ASA firewall. How do I configure the ASA firewall to accept both group and authenticate to the same ACS server ? I have never done this before so I need help.
Thanks so much !
Solved! Go to Solution.
08-27-2010 09:31 AM
Hi ,
all that you need to do is to create another group policy and attach it to a tunnel group :-
group-policy vpnsales internal
group-policy vpnsales attributes
banner -- VPN access for sales team
dns-server value x.x.x.x
split-tunnel policy tunnelspecified
split-tunnel-network-list value split-sales
address-pools sales-pool
default-domain-value mydomain.com
tunnel-group vpnsales type remote-access
tunnel-group vpnsales general-attributes
authentication-server-group vpnsales
default-group-policy vpnsales
tunnel-group vpnsales ipsec-attri
pre-share-key @@@@
you will also create an attribute map named vpnsales for acs auth.
Thanks
Manish
08-27-2010 09:30 AM
You can create seperate tunnel groups and policies on the ASA. If you are managing all restrictions on the ACS then you don't really need to do this.
I have 2 VPN groups on my ASA. "VPN" is for regualr users and "NetOps" is for engineers. I also have several groups on the ACS and manage restrictions with downloadable access lists.
08-27-2010 09:31 AM
Hi ,
all that you need to do is to create another group policy and attach it to a tunnel group :-
group-policy vpnsales internal
group-policy vpnsales attributes
banner -- VPN access for sales team
dns-server value x.x.x.x
split-tunnel policy tunnelspecified
split-tunnel-network-list value split-sales
address-pools sales-pool
default-domain-value mydomain.com
tunnel-group vpnsales type remote-access
tunnel-group vpnsales general-attributes
authentication-server-group vpnsales
default-group-policy vpnsales
tunnel-group vpnsales ipsec-attri
pre-share-key @@@@
you will also create an attribute map named vpnsales for acs auth.
Thanks
Manish
08-31-2010 07:23 AM
Thanks. That did the trick and it is working. Thanks a lot !!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide