You only need to create 1

hmc250000 · ‎04-27-2017

How do you restrict some users to some internal subnets on an ASA? Are VPN filters the only way? And would you have to create a separate profile for the restricted VPN users? THank you.

Spooster IT Services · ‎04-28-2017

Hi henry,

You can create multiple group policies and use Split ACL or VPN filter in it to restrict user access.

If user is authentication locally then bind group policy with the user. And if user is authentication through radius then assign group policy to the user through Radius.

If this was helpful, please give it a thumbs up

Spooster IT Services Team

hmc250000 · ‎05-05-2017

THanks, how do I lock the restricted users to one policy/profile?

Spooster IT Services · ‎05-05-2017

You only need to create 1 tunnel-group, and multiple group-policy. Under user attribute, you would then configure the vpn group policy that you would like the user assigned too.

You can also authenticate users against AD and configure ldap attribute map to automatically map user to a specific group policy.

Following is the sample config for local authentication:-

webvpn

enable outside

cache-fs limit 50

svc image disk0:/anyconnect-win-3.0.10055-k9.pkg 1

svc enable

ip local pool test-pool 10.255.255.10-10.255.255.20 mask 255.255.255.224

group-policy test-gp internal

group-policy test-gp attributes

vpn-tunnel-protocol svc webvpn

address-pools value test-pool

username test password test

username test attributes

vpn-tunnel-protocol svc

vpn-group-policy test-gp

tunnel-group test-tunnel type remote-access

tunnel-group test-tunnel general-attributes

default-group-policy test-gp

tunnel-group test-tunnel webvpn-attributes

You can also define the ACL under group policy for Split tunneling and configure NO NAT from ASA LAN subnet (that you want to provide access to VPN users) to pool subnet.

If this is helpful please give a thumbs up.

Spooster IT Services Team

Restrict some VPN users to some internal subnets