Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


How do I restrict VPN VLAN network access by username?

Posted on 2009-04-02
Medium Priority
Last Modified: 2012-05-06
I'm trying to configure my Cisco ASA 5510 to restrict VPN network access to only one VLAN on the internal network by the username used to login.  I have a vendor that setup our Audio/Visual equipment and they need remote access to fix programming problems from time to time.  I want to either create a username for them on the ASA or on the domain which ever will make this work.  Then I need them to only be allowed access to

I have tried multiple configurations to make this work and the only way I seem to be able to come close is to block access on the Outside interface for the IP range to anything else on the internal network except for since is what range is assigned to the VPN group.  This solution then blocks everyone using the VPN and doesn't completely solve my problem.

I have tried assigned an ACL to the VPN group but it doesn't seem to take I must be missing something.  I also don't understand completely how a tunnel group works that might be part of my problem.  

Here is a little info about how my network is configured.

Internet <----->ASA<---->Cisco 4503<---->LAN
All of my VLAN are configured on the 4503

Thanks in advance for any help you might be able to provide.  Here is my current config:

: Saved
ASA Version 8.0(4) 
hostname Ciscoasa
domain-name corp.domain.com
enable password 
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address "Outside IP" 
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 
interface Ethernet0/2
 no nameif
 no security-level
 no ip address
interface Ethernet0/3
 no nameif
 no security-level
 no ip address
interface Management0/0
 nameif management
 security-level 100
 ip address 
boot system disk0:/asa804-k8.bin
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
 domain-name corp.domain.com
object-group service RDP tcp
 description Terminal Services Connections
 port-object range 3389 3389
object-group service IMAP4 tcp-udp
 description IMAP4  iPhones
 port-object range 143 143
object-group service SSL-IMAP tcp-udp
 description SSL IMAP for iPhones
 port-object range 993 993
object-group service Inter-tel-5566 tcp
 description Inter-tel TCP 5566
 port-object eq 5566
object-group service Inter-tel-5567 udp
 description Inter-tel UDP 5567
 port-object eq 5567
object-group service DM_INLINE_TCP_1 tcp
 group-object IMAP4
 group-object SSL-IMAP
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group service Blocked-Ports
 description Q-Charts Ports 8048 - 8049 unassigned
 service-object tcp-udp eq 8048 
 service-object tcp-udp eq 8049 
 service-object tcp-udp eq 2189 
 service-object tcp-udp source eq 23100 eq 23100 
 service-object tcp-udp source eq 24100 eq 24100 
object-group service SSL-VPN tcp-udp
 description Cisco SSL VPN Client
 port-object eq 444
access-list Outside_access_in extended permit ip 
access-list Outside_access_in extended permit ip any inactive 
access-list Outside_access_in remark Terminal Server Connections
access-list Outside_access_in extended permit tcp any interface Outside object-group RDP 
access-list Outside_access_in remark Inscope Website
access-list Outside_access_in extended permit tcp any interface Outside eq 8081 
access-list Outside_access_in remark SMTP Postini Inbound to SihleExchange
access-list Outside_access_in extended permit tcp interface Outside eq smtp 
access-list Outside_access_in remark SSL IMAP iPhones
access-list Outside_access_in extended permit tcp any interface Outside object-group DM_INLINE_TCP_1 inactive 
access-list Outside_access_in remark Outlook Web Access SSL Connection
access-list Outside_access_in extended permit tcp any interface Outside object-group DM_INLINE_TCP_2 
access-list Outside_access_in remark Inter-tel TCP Port 5566
access-list Outside_access_in extended permit tcp any interface Outside eq 5566 
access-list Outside_access_in remark Inter-tel TCP Port 5567
access-list Outside_access_in extended permit udp any interface Outside eq 5567 
access-list Outside_access_in remark IP Phone Audio
access-list Outside_access_in extended permit udp any interface Outside range 5000 5565 
access-list Inside_access_in remark SMTP Outbound SihleExchange
access-list Inside_access_in extended permit tcp host eq smtp 
access-list Inside_access_in remark Block All Outbound SMTP Traffic
access-list Inside_access_in extended deny tcp any any eq smtp 
access-list Inside_access_in remark Block AOL Instant Messenger
access-list Inside_access_in extended deny tcp any any eq aol inactive 
access-list Inside_access_in remark Q-Charts
access-list Inside_access_in extended deny object-group Blocked-Ports any any 
access-list Inside_access_in extended permit ip any any 
access-list VPN_Clients remark VPN Clients
access-list VPN_Clients extended permit ip any 
access-list VPN_Clients extended permit ip any 
access-list Audio_Visual_VLAN_Only remark VLAN 40 Access Only
access-list Audio_Visual_VLAN_Only standard permit 
access-list Audio_Visual_VLAN_Only remark No Access
access-list Audio_Visual_VLAN_Only standard deny any 
pager lines 24
logging enable
logging list Custom-Log level debugging
logging asdm warnings
logging from-address ASA5510@domain.com
logging recipient-address email@address.com level emergencies
logging facility 16
logging debug-trace
logging ftp-server ASA5510
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPN mask
ip local pool Vendors mask
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
global (Outside) 1 interface
nat (Inside) 0 access-list VPN_Clients
nat (Inside) 0
nat (Inside) 1
static (Inside,Outside) tcp interface 3389 3389 netmask 
static (Inside,Outside) tcp interface 8081 8081 netmask 
static (Inside,Outside) tcp interface smtp smtp netmask 
static (Inside,Outside) tcp interface www www netmask 
static (Inside,Outside) tcp interface https https netmask 
static (Inside,Outside) tcp interface 993 993 netmask 
static (Inside,Outside) udp interface 993 993 netmask 
static (Inside,Outside) tcp interface imap4 imap4 netmask 
static (Inside,Outside) udp interface 143 143 netmask 
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 10
route Inside 1
route Inside 1
route Inside 1
route Inside 1
route Inside 1
route Inside 1
route Inside 1
route Inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server protocol radius
aaa-server (Inside) host Sihle-DC
aaa-server Sihle-Domain protocol nt
aaa-server Sihle-Domain (Inside) host Sihle-DC
 nt-auth-domain-controller Sihle-DC
aaa authentication telnet console LOCAL 
aaa authorization command LOCAL 
http server enable
http management
http Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn Ciscoasa.corp.domain.com
 subject-name CN=Ciscoasa.corp.domain.com
 keypair key
 crl configure
crypto ca server 
crypto ca certificate chain ASDM_TrustPoint0
 certificate 31
    30820208 30820171 a0030201 02020131 300d0609 2a864886 f70d0101 04050030 
crypto isakmp enable Outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns
dhcpd wins
dhcpd domain corp.domain.com
dhcpd address management
vpn load-balancing 
 interface lbpublic Inside
 interface lbprivate Inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 Outside
 port 444
 enable Outside
 dtls port 444
 csd image disk0:/csd_3.4.1108.pkg
 csd enable
 svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 2
 svc enable
 tunnel-group-list enable
 internal-password enable
group-policy DfltGrpPolicy attributes
 wins-server value
 dns-server value
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy Vendors internal
group-policy Vendors attributes
 banner value This network is intended for private use only.
 vpn-tunnel-protocol IPSec svc webvpn
 group-lock value Vendors
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Audio_Visual_VLAN_Only
 address-pools value Vendors
username  encrypted privilege 0
username  attributes
 vpn-group-policy DfltGrpPolicy
tunnel-group Employees type remote-access
tunnel-group Employees general-attributes
 address-pool (Inside) VPN
 authentication-server-group Sihle-Domain
tunnel-group Employees webvpn-attributes
 group-alias Employees enable
tunnel-group Vendors type remote-access
tunnel-group Vendors general-attributes
 address-pool (Inside) Vendors
 address-pool Vendors
 authentication-server-group Sihle-Domain
 authentication-server-group (Inside) LOCAL
tunnel-group Vendors webvpn-attributes
 group-alias Vendors enable
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns migrated_dns_map_1
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
service-policy global_policy global
prompt hostname context 
: end
asdm image disk0:/asdm-61551.bin
asdm location Inside
asdm location Inside
asdm location Inside
no asdm history enable

Open in new window

Question by:SihleIns
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 16

Expert Comment

ID: 24050394
I create a tunnel group for the each individual with their own ACL.  We don't get many requests for "outside" people to access our network, so this works for us.

Here's a doc on creating ACL's on the Pix and ASA.
LVL 10

Expert Comment

ID: 24054155
You need a group-policy and a tunnel-group specific to the vendor and a defined ACL with the hosts and/or nets you want the user to be able to access, then create the user(s) and put the user(s) into the group - here's an example:

group-policy vendor-mainline internal
group-policy vendor-mainline attributes
vpn-filter value mainline_acl

username vendor-mainline attributes
vpn-group-policy vendor-mainline
vpn-filter value mainline_acl

tunnel-group vendor-mainline type ipsec-ra

tunnel-group vendor-mainline general-attributes
default-group-policy vendor-mainline

access-list mainline_acl extended permit ip any host
access-list mainline_acl extended permit ip any

Author Comment

ID: 24054372
The ASA keeps giving me "Invalid input detected" when I try either one of these commands
vpn-filter value mainline_acl (this one says the error is at the f in filter)
username vendor-mainline attributes (this one says the error is at the n in name)
What am I missing?  I have the latest IOS installed on the ASA.

Accepted Solution

SihleIns earned 0 total points
ID: 24060125
I found the answer to my question on Cisco's website.  Both of your posts help point me in the right direction.  Thanks.



Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Considering cloud tradeoffs and determining the right mix for your organization.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question