Re: VPN 3015 restricting where users can go

lisasmith · ‎11-29-2005

We have a Cisco VPN Concentrator 3015 working just fine using our Cisco ACS to authenticate clients VPNing into our network through broadband. We are in the process of outsourcing all our dial-up connections to another provider, requiring the user to then VPN into our network once dialed into the new ISP’s network (I know not a good way to provide speed). What I need to do is use the VPN concentrator (or ACS) to restrict where the VPN users can go on the network (the two options are Internet, Email, internal applications OR just Internet). These restrictions are presently in place for our current dial-up users (into our network - that are going away) through an ACL on the 5200s. Since this step is being eliminated altogether (and the 5200s) through outsourcing the dial-up connections – can this be easily done on the concentrator once the user launches the VPN client to gain access to our network? I’m not authenticating anyone on the concentrator at this point – just using the ACS. I certainly hope this makes some sense. Any suggestions are welcome! Thanks, Lisa Smith

gfullage · ‎11-29-2005

Under the group settings on the VPN3000 there's an option to define a filter for that group, this defines where the users can (and cannot) go on the internal network.

The following sample config shows how to configure the filter and assign it to a group, and even how to assign it to specific users via the Radius server if you like:

http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080094eac.shtml

lisasmith · ‎12-02-2005

Thanks. This is what I needed to put point me in the right direction. Lisa