Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
810
Views
0
Helpful
3
Replies

VPN(remote access, ASA5520) with 2 clients, one with Internet and another without Internet

Go to solution
eagle_mk4
Level 1
Level 1

‎05-03-2012 05:20 AM - edited ‎02-21-2020 06:02 PM

Hi!I do a VPN network with two clients, using un ASA5520. Now I have to do what a client has internet and the other hasn't. Can I do it using ACL??How??

The configuration is:

interface GigabitEthernet0/0

  nameif outside

  security-level 0

  ip address 172.16.31.252 255.255.255.248

interface GigabitEthernet0/1

  nameif inside

  security-level 100

  ip address 172.16.1.237 255.255.255.240

access-list ACLnonat extended permit ip 172.16.1.224 255.255.255.240 host 172.16.1.230

access-list Split_tunnel standard permit 172.16.1.224 255.255.255.240

ip local pool testpool 172.16.1.230-172.16.1.232 mask 255.255.255.240

nat (inside) 0 access-list ACLnonat

route outside 0.0.0.0 0.0.0.0 172.16.31.254 1

crypto ipsec transform-set hw_trans esp-3des esp-md5-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn_map 1 set transform-set hw_trans

crypto dynamic-map dyn_map 1 set reverse-route

crypto map stat_map 10000 ipsec-isakmp dynamic dyn_map

crypto map stat_map interface outside

crypto isakmp enable outside

crypto isakmp policy 10

  authentication pre-share

  encryption 3des

  hash sha

  group 2

  lifetime 3600

crypto isakmp nat-traversal 30

group-policy hw_policy internal

group-policy hw_policy attributes

  dns-server value 193.205.160.3

  split-tunnel-policy tunnelspecified

  split-tunnel-network-list value Split_tunnel

  split-dns value 193.205.160.3

username User1 password pqA3EDHB1cfLxwWn encrypted privilege 0

username User2 password FIQ1c02tX8lU1wHJ encrypted privilege 0

username User2 attributes

  vpn-framed-ip-address 172.16.1.233 255.255.255.240

  password-storage enable

tunnel-group hwclients type remote-access

tunnel-group hwclients general-attributes

  address-pool testpool

  default-group-policy hw_policy

tunnel-group hwclients ipsec-attributes

  pre-shared-key *****

  isakmp keepalive threshold 30 retry 5

Thanks in Advance.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
a.matahen
Level 1
Level 1

‎05-03-2012 05:39 AM

Hello Jose,

I can see that you are using LOCAL authentication, what you can do is, you can create another group-policy, and bind that group policy to the username, example:

group-policy NEWPOLICY attributes

  split-tunnel-policy tunnelall

username User1 attributes

vpn-group-policy NEWPOLICY

The other username will use the hw_policy since it is the default for the tunnel-group hwclients.

HTH

AMatahen

View solution in original post

0 Helpful
3 Replies 3

Go to solution
a.matahen
Level 1
Level 1

‎05-03-2012 05:39 AM

Hello Jose,

I can see that you are using LOCAL authentication, what you can do is, you can create another group-policy, and bind that group policy to the username, example:

group-policy NEWPOLICY attributes

  split-tunnel-policy tunnelall

username User1 attributes

vpn-group-policy NEWPOLICY

The other username will use the hw_policy since it is the default for the tunnel-group hwclients.

HTH

AMatahen

0 Helpful

Go to solution
eagle_mk4
Level 1
Level 1
In response to a.matahen

‎05-04-2012 01:26 AM

Hi AMatahen,

Your solution works perfectly!!

I will be eternally grateful!

Thank you!

0 Helpful

Go to solution
a.matahen
Level 1
Level 1

‎05-04-2012 03:38 AM

Great news! Best of luck

Glad that i could help!

AMatahen

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents