Link to home
Start Free TrialLog in
Avatar of chekfu

asked on

Control VPN user to access a server


I will appreciate it very much if you can help.

I have configured IPSec VPN Remote Access using Cisco ASA 5500 series. It has been working.

Recently, we have granted VPN permission to a vendor. So, I have created an account for the vendor, and then setup Cisco VPN Client with a imported pcf file onto his laptop.

I want to control the VPN user to access only one server. For example, to ONLY allow that vendor account to RDP to a server (e.g.
Avatar of batry_boy
Flag of United States of America image

If you're using a local user account for the vendor, then you need to have the following statements in your ASA config (substitute the appropriate values for the user account and group policy name):

username vendoruser attributes
 vpn-group-policy VendorPolicy
group-policy VendorPolicy
 vpn-filter value VendorAccess
access-list VendorAccess permit ip any host

I put "any" as the source address in that ACL because you don't know which IP address that vendor will get from the VPN pool of addresses.  Instead, the ACL is tied to his user account via the group policy so you don't have to worry about the source IP address.  And if you ever need to grant additional access to other hosts, just add similar ACL statements to that same "VendorAccess" ACL.

Hope this helps...
Avatar of chekfu


Hi batry_boy

Thanks for your great help.

Currently, VPN account is integrated with RADIUS Server (MS IAS) instead of local user account.

Need your help to enlighten me on how to deal in my scenario. Thanks in advanced!
Avatar of chekfu


Any updates?

Your help is very much appreciated.
Which group policy is the vendor setup to use on the ASA?  Once you know that, then just use the last 3 commands in my first post referencing the appropriate group policy.
Avatar of chekfu


The same group policy is applied to Vendor and normal user.

Is Downdoadable ACL works? How to do that? If I only want to restrict a vendor name called vendor1 to only RDP to
Yes, you can use those.  See the following link:

I've never had occasion to use them before, but my understanding is that even if multiple users are using the same VPN group, the downloadable ACL's can be applied on a per user basis.
Avatar of chekfu

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial