How do I restrict VPN VLAN network access by username?

Posted on 2009-04-02
Last Modified: 2012-05-06
I'm trying to configure my Cisco ASA 5510 to restrict VPN network access to only one VLAN on the internal network by the username used to login.  I have a vendor that setup our Audio/Visual equipment and they need remote access to fix programming problems from time to time.  I want to either create a username for them on the ASA or on the domain which ever will make this work.  Then I need them to only be allowed access to

I have tried multiple configurations to make this work and the only way I seem to be able to come close is to block access on the Outside interface for the IP range to anything else on the internal network except for since is what range is assigned to the VPN group.  This solution then blocks everyone using the VPN and doesn't completely solve my problem.

I have tried assigned an ACL to the VPN group but it doesn't seem to take I must be missing something.  I also don't understand completely how a tunnel group works that might be part of my problem.  

Here is a little info about how my network is configured.

Internet <----->ASA<---->Cisco 4503<---->LAN
All of my VLAN are configured on the 4503

Thanks in advance for any help you might be able to provide.  Here is my current config:

: Saved


ASA Version 8.0(4) 


hostname Ciscoasa


enable password 





interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address "Outside IP" 


interface Ethernet0/1

 nameif Inside

 security-level 100

 ip address 


interface Ethernet0/2


 no nameif

 no security-level

 no ip address


interface Ethernet0/3


 no nameif

 no security-level

 no ip address


interface Management0/0

 nameif management

 security-level 100

 ip address 



boot system disk0:/asa804-k8.bin

ftp mode passive

dns domain-lookup Outside

dns domain-lookup Inside

dns domain-lookup management

dns server-group DefaultDNS



object-group service RDP tcp

 description Terminal Services Connections

 port-object range 3389 3389

object-group service IMAP4 tcp-udp

 description IMAP4  iPhones

 port-object range 143 143

object-group service SSL-IMAP tcp-udp

 description SSL IMAP for iPhones

 port-object range 993 993

object-group service Inter-tel-5566 tcp

 description Inter-tel TCP 5566

 port-object eq 5566

object-group service Inter-tel-5567 udp

 description Inter-tel UDP 5567

 port-object eq 5567

object-group service DM_INLINE_TCP_1 tcp

 group-object IMAP4

 group-object SSL-IMAP

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group service DM_INLINE_TCP_2 tcp

 port-object eq www

 port-object eq https

object-group service Blocked-Ports

 description Q-Charts Ports 8048 - 8049 unassigned

 service-object tcp-udp eq 8048 

 service-object tcp-udp eq 8049 

 service-object tcp-udp eq 2189 

 service-object tcp-udp source eq 23100 eq 23100 

 service-object tcp-udp source eq 24100 eq 24100 

object-group service SSL-VPN tcp-udp

 description Cisco SSL VPN Client

 port-object eq 444

access-list Outside_access_in extended permit ip 

access-list Outside_access_in extended permit ip any inactive 

access-list Outside_access_in remark Terminal Server Connections

access-list Outside_access_in extended permit tcp any interface Outside object-group RDP 

access-list Outside_access_in remark Inscope Website

access-list Outside_access_in extended permit tcp any interface Outside eq 8081 

access-list Outside_access_in remark SMTP Postini Inbound to SihleExchange

access-list Outside_access_in extended permit tcp interface Outside eq smtp 

access-list Outside_access_in remark SSL IMAP iPhones

access-list Outside_access_in extended permit tcp any interface Outside object-group DM_INLINE_TCP_1 inactive 

access-list Outside_access_in remark Outlook Web Access SSL Connection

access-list Outside_access_in extended permit tcp any interface Outside object-group DM_INLINE_TCP_2 

access-list Outside_access_in remark Inter-tel TCP Port 5566

access-list Outside_access_in extended permit tcp any interface Outside eq 5566 

access-list Outside_access_in remark Inter-tel TCP Port 5567

access-list Outside_access_in extended permit udp any interface Outside eq 5567 

access-list Outside_access_in remark IP Phone Audio

access-list Outside_access_in extended permit udp any interface Outside range 5000 5565 

access-list Inside_access_in remark SMTP Outbound SihleExchange

access-list Inside_access_in extended permit tcp host eq smtp 

access-list Inside_access_in remark Block All Outbound SMTP Traffic

access-list Inside_access_in extended deny tcp any any eq smtp 

access-list Inside_access_in remark Block AOL Instant Messenger

access-list Inside_access_in extended deny tcp any any eq aol inactive 

access-list Inside_access_in remark Q-Charts

access-list Inside_access_in extended deny object-group Blocked-Ports any any 

access-list Inside_access_in extended permit ip any any 

access-list VPN_Clients remark VPN Clients

access-list VPN_Clients extended permit ip any 

access-list VPN_Clients extended permit ip any 

access-list Audio_Visual_VLAN_Only remark VLAN 40 Access Only

access-list Audio_Visual_VLAN_Only standard permit 

access-list Audio_Visual_VLAN_Only remark No Access

access-list Audio_Visual_VLAN_Only standard deny any 

pager lines 24

logging enable

logging list Custom-Log level debugging

logging asdm warnings

logging from-address

logging recipient-address level emergencies

logging facility 16

logging debug-trace

logging ftp-server ASA5510

mtu Outside 1500

mtu Inside 1500

mtu management 1500

ip local pool VPN mask

ip local pool Vendors mask

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-61551.bin

no asdm history enable

arp timeout 14400


global (Outside) 1 interface

nat (Inside) 0 access-list VPN_Clients

nat (Inside) 0

nat (Inside) 1

static (Inside,Outside) tcp interface 3389 3389 netmask 

static (Inside,Outside) tcp interface 8081 8081 netmask 

static (Inside,Outside) tcp interface smtp smtp netmask 

static (Inside,Outside) tcp interface www www netmask 

static (Inside,Outside) tcp interface https https netmask 

static (Inside,Outside) tcp interface 993 993 netmask 

static (Inside,Outside) udp interface 993 993 netmask 

static (Inside,Outside) tcp interface imap4 imap4 netmask 

static (Inside,Outside) udp interface 143 143 netmask 

access-group Outside_access_in in interface Outside

access-group Inside_access_in in interface Inside

route Outside 10

route Inside 1

route Inside 1

route Inside 1

route Inside 1

route Inside 1

route Inside 1

route Inside 1

route Inside 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server protocol radius

aaa-server (Inside) host Sihle-DC



aaa-server Sihle-Domain protocol nt

aaa-server Sihle-Domain (Inside) host Sihle-DC

 nt-auth-domain-controller Sihle-DC

aaa authentication telnet console LOCAL 

aaa authorization command LOCAL 

http server enable

http management

http Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface Outside

crypto ca trustpoint ASDM_TrustPoint0

 enrollment self



 keypair key

 crl configure

crypto ca server 


crypto ca certificate chain ASDM_TrustPoint0

 certificate 31

    30820208 30820171 a0030201 02020131 300d0609 2a864886 f70d0101 04050030 


crypto isakmp enable Outside

crypto isakmp policy 5

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 10

 authentication pre-share

 encryption des

 hash sha

 group 2

 lifetime 86400

telnet Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns

dhcpd wins

dhcpd domain


dhcpd address management


vpn load-balancing 

 interface lbpublic Inside

 interface lbprivate Inside

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl trust-point ASDM_TrustPoint0 Outside


 port 444

 enable Outside

 dtls port 444

 csd image disk0:/csd_3.4.1108.pkg

 csd enable

 svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 2

 svc enable

 tunnel-group-list enable

 internal-password enable

group-policy DfltGrpPolicy attributes

 wins-server value

 dns-server value

 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy Vendors internal

group-policy Vendors attributes

 banner value This network is intended for private use only.

 vpn-tunnel-protocol IPSec svc webvpn

 group-lock value Vendors

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value Audio_Visual_VLAN_Only

 address-pools value Vendors

username  encrypted privilege 0

username  attributes

 vpn-group-policy DfltGrpPolicy

tunnel-group Employees type remote-access

tunnel-group Employees general-attributes

 address-pool (Inside) VPN

 authentication-server-group Sihle-Domain

tunnel-group Employees webvpn-attributes

 group-alias Employees enable

tunnel-group Vendors type remote-access

tunnel-group Vendors general-attributes

 address-pool (Inside) Vendors

 address-pool Vendors

 authentication-server-group Sihle-Domain

 authentication-server-group (Inside) LOCAL

tunnel-group Vendors webvpn-attributes

 group-alias Vendors enable


class-map inspection_default

 match default-inspection-traffic



policy-map type inspect dns migrated_dns_map_1


  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 


service-policy global_policy global


prompt hostname context 


: end

asdm image disk0:/asdm-61551.bin

asdm location Inside

asdm location Inside

asdm location Inside

no asdm history enable

Open in new window

Question by:SihleIns
  • 2
LVL 16

Expert Comment

ID: 24050394
I create a tunnel group for the each individual with their own ACL.  We don't get many requests for "outside" people to access our network, so this works for us.

Here's a doc on creating ACL's on the Pix and ASA.
LVL 10

Expert Comment

ID: 24054155
You need a group-policy and a tunnel-group specific to the vendor and a defined ACL with the hosts and/or nets you want the user to be able to access, then create the user(s) and put the user(s) into the group - here's an example:

group-policy vendor-mainline internal
group-policy vendor-mainline attributes
vpn-filter value mainline_acl

username vendor-mainline attributes
vpn-group-policy vendor-mainline
vpn-filter value mainline_acl

tunnel-group vendor-mainline type ipsec-ra

tunnel-group vendor-mainline general-attributes
default-group-policy vendor-mainline

access-list mainline_acl extended permit ip any host
access-list mainline_acl extended permit ip any

Author Comment

ID: 24054372
The ASA keeps giving me "Invalid input detected" when I try either one of these commands
vpn-filter value mainline_acl (this one says the error is at the f in filter)
username vendor-mainline attributes (this one says the error is at the n in name)
What am I missing?  I have the latest IOS installed on the ASA.

Accepted Solution

SihleIns earned 0 total points
ID: 24060125
I found the answer to my question on Cisco's website.  Both of your posts help point me in the right direction.  Thanks.


Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now