05-03-2012 05:20 AM - edited 02-21-2020 06:02 PM
Hi!I do a VPN network with two clients, using un ASA5520. Now I have to do what a client has internet and the other hasn't. Can I do it using ACL??How??
The configuration is:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.16.31.252 255.255.255.248
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 172.16.1.237 255.255.255.240
access-list ACLnonat extended permit ip 172.16.1.224 255.255.255.240 host 172.16.1.230
access-list Split_tunnel standard permit 172.16.1.224 255.255.255.240
ip local pool testpool 172.16.1.230-172.16.1.232 mask 255.255.255.240
nat (inside) 0 access-list ACLnonat
route outside 0.0.0.0 0.0.0.0 172.16.31.254 1
crypto ipsec transform-set hw_trans esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map dyn_map 1 set transform-set hw_trans
crypto dynamic-map dyn_map 1 set reverse-route
crypto map stat_map 10000 ipsec-isakmp dynamic dyn_map
crypto map stat_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto isakmp nat-traversal 30
group-policy hw_policy internal
group-policy hw_policy attributes
dns-server value 193.205.160.3
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Split_tunnel
split-dns value 193.205.160.3
username User1 password pqA3EDHB1cfLxwWn encrypted privilege 0
username User2 password FIQ1c02tX8lU1wHJ encrypted privilege 0
username User2 attributes
vpn-framed-ip-address 172.16.1.233 255.255.255.240
password-storage enable
tunnel-group hwclients type remote-access
tunnel-group hwclients general-attributes
address-pool testpool
default-group-policy hw_policy
tunnel-group hwclients ipsec-attributes
pre-shared-key *****
isakmp keepalive threshold 30 retry 5
Thanks in Advance.
Solved! Go to Solution.
05-03-2012 05:39 AM
Hello Jose,
I can see that you are using LOCAL authentication, what you can do is, you can create another group-policy, and bind that group policy to the username, example:
group-policy NEWPOLICY attributes
split-tunnel-policy tunnelall
username User1 attributes
vpn-group-policy NEWPOLICY
The other username will use the hw_policy since it is the default for the tunnel-group hwclients.
HTH
AMatahen
05-03-2012 05:39 AM
Hello Jose,
I can see that you are using LOCAL authentication, what you can do is, you can create another group-policy, and bind that group policy to the username, example:
group-policy NEWPOLICY attributes
split-tunnel-policy tunnelall
username User1 attributes
vpn-group-policy NEWPOLICY
The other username will use the hw_policy since it is the default for the tunnel-group hwclients.
HTH
AMatahen
05-04-2012 01:26 AM
Hi AMatahen,
Your solution works perfectly!!
I will be eternally grateful!
Thank you!
05-04-2012 03:38 AM
Great news! Best of luck
Glad that i could help!
AMatahen
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide