11-29-2005 08:37 AM - edited 02-21-2020 02:07 PM
We have a Cisco VPN Concentrator 3015 working just fine using our Cisco ACS to authenticate clients VPNing into our network through broadband. We are in the process of outsourcing all our dial-up connections to another provider, requiring the user to then VPN into our network once dialed into the new ISPs network (I know not a good way to provide speed). What I need to do is use the VPN concentrator (or ACS) to restrict where the VPN users can go on the network (the two options are Internet, Email, internal applications OR just Internet). These restrictions are presently in place for our current dial-up users (into our network - that are going away) through an ACL on the 5200s. Since this step is being eliminated altogether (and the 5200s) through outsourcing the dial-up connections can this be easily done on the concentrator once the user launches the VPN client to gain access to our network? Im not authenticating anyone on the concentrator at this point just using the ACS. I certainly hope this makes some sense. Any suggestions are welcome! Thanks, Lisa Smith
11-29-2005 10:31 PM
Under the group settings on the VPN3000 there's an option to define a filter for that group, this defines where the users can (and cannot) go on the internal network.
The following sample config shows how to configure the filter and assign it to a group, and even how to assign it to specific users via the Radius server if you like:
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a0080094eac.shtml
12-02-2005 08:48 AM
Thanks. This is what I needed to put point me in the right direction. Lisa
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide