cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
604
Views
0
Helpful
3
Replies
eagle_mk4
Beginner

VPN(remote access, ASA5520) with 2 clients, one with Internet and another without Internet

Hi!I do a VPN network with two clients, using un ASA5520. Now I have to do what a client has internet and the other hasn't. Can I do it using ACL??How??

The configuration is:

interface GigabitEthernet0/0

  nameif outside

  security-level 0

  ip address 172.16.31.252 255.255.255.248

interface GigabitEthernet0/1

  nameif inside

  security-level 100

  ip address 172.16.1.237 255.255.255.240

access-list ACLnonat extended permit ip 172.16.1.224 255.255.255.240 host 172.16.1.230

access-list Split_tunnel standard permit 172.16.1.224 255.255.255.240

ip local pool testpool 172.16.1.230-172.16.1.232 mask 255.255.255.240

nat (inside) 0 access-list ACLnonat

route outside 0.0.0.0 0.0.0.0 172.16.31.254 1

crypto ipsec transform-set hw_trans esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn_map 1 set transform-set hw_trans

crypto dynamic-map dyn_map 1 set reverse-route

crypto map stat_map 10000 ipsec-isakmp dynamic dyn_map

crypto map stat_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

  authentication pre-share

  encryption 3des

  hash sha

  group 2

  lifetime 3600

crypto isakmp nat-traversal 30

group-policy hw_policy internal

group-policy hw_policy attributes

  dns-server value 193.205.160.3

  split-tunnel-policy tunnelspecified

  split-tunnel-network-list value Split_tunnel

  split-dns value 193.205.160.3

username User1 password pqA3EDHB1cfLxwWn encrypted privilege 0

username User2 password FIQ1c02tX8lU1wHJ encrypted privilege 0

username User2 attributes

  vpn-framed-ip-address 172.16.1.233 255.255.255.240

  password-storage enable

tunnel-group hwclients type remote-access

tunnel-group hwclients general-attributes

  address-pool testpool

  default-group-policy hw_policy

tunnel-group hwclients ipsec-attributes

  pre-shared-key *****

  isakmp keepalive threshold 30 retry 5

Thanks in Advance.

1 ACCEPTED SOLUTION

Accepted Solutions
a.matahen
Beginner

Hello Jose,

I can see that you are using LOCAL authentication, what you can do is, you can create another group-policy, and bind that group policy to the username, example:

group-policy NEWPOLICY attributes

  split-tunnel-policy tunnelall

username User1 attributes

vpn-group-policy NEWPOLICY

The other username will use the hw_policy since it is the default for the tunnel-group hwclients.

HTH

AMatahen

View solution in original post

3 REPLIES 3
a.matahen
Beginner

Hello Jose,

I can see that you are using LOCAL authentication, what you can do is, you can create another group-policy, and bind that group policy to the username, example:

group-policy NEWPOLICY attributes

  split-tunnel-policy tunnelall

username User1 attributes

vpn-group-policy NEWPOLICY

The other username will use the hw_policy since it is the default for the tunnel-group hwclients.

HTH

AMatahen

Hi AMatahen,

Your solution works perfectly!!

I will be eternally grateful!

Thank you!

a.matahen
Beginner

Great news! Best of luck

Glad that i could help!

AMatahen

Create
Recognize Your Peers
Content for Community-Ad