ā08-15-2012 08:07 AM
I have a ASA5520 congiured with two group polices. One for Tech Services and another for General Users. We are using hairpinning on our WAN interface and I want to only allow the Users group access to VLAN 30 internall and WAN access when they are connected to SSL VPN. I have set up the IPv4 filter in the group policy and restricting access to all other vlans is working they are only able to hit ip address in VLAN 30, but they have no internet connection. I have tried adding an ACE to the ACL like i did to permit traffic only to VLAN 30 but added another ACE for the WAN interface and its not working. How else would I restrict access to an internal vlan and give web access through the vpn group policy?
ā08-15-2012 09:08 AM
assuming ip pool is 192.168.10.0/24 and you are doing tunnelall instead of split-tunnel
you can do
same-security-traffic permit intra-interface
nat (outside) 1 192.168.10.0 255.255.255.0
global (outside) 1 interface
ā08-15-2012 01:26 PM
This was resolved my adding an extened ACL and permitting the network of the allowed vlan and denying access to the rest and finally any to any ip ACE for WAN access
Sent from Cisco Technical Support Android App
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide