We help IT Professionals succeed at work.

CiscoVPN authentication on ASA 5510 using IAS AND restricting it to one server inside

netcmh
netcmh used Ask the Experts™
on
Dear all,

How does one go about doing this?

I've read a couple of pages on EE and some on techrepublic. But, it's left me confused.

Does anyone have a step by step to help me?

Thanks
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Technical Consultant
Commented:
http://www.petenetlive.com/KB/Article/0000071.htm

to restricy to one accessible IP address see step 12 of the firewall config section

Pete

[url=http://www.petenetlive.com/KB/Article/0000071.htm]IAS VPN[/url
Pete LongTechnical Consultant

Commented:
Thank you for those instructions. I'm going to try them out today.

Are these instructions going to be compatible with pre-existing site-to-site VPN configs already in place? I wouldn't want those configs to change.
After following the instructions, my client laptop with the same settings just keeps getting "contacting the security gateway at xxx.xxx.xxx.xxx", and then gets "terminated by peer" reason 433: reason not specified by peer

Any ideas?
Btw, i've tried the isakmp nat-traversal fix, did not work
have also set the VPN idle timeout to none
I'm sorry but, can I throw in one more complexity - there's an ISA in between the ASA and the IAS.

Anyone?
past the previous issue. client gets connected. ad authentication happening, all good.

But I can't do anything once connected. Any ideas?
how would i modify your config to say:

user dummy1 can only access one IP address eg. 192.168.9.5 for RDP ie. 3389

I created the extended list and added it to the group-policy. what else am i to do?

Thanks
Please help.

What's wrong with this config? Permitting VPN users only to 192.168.9.5.

access-list nonat extended permit ip host 192.168.9.5 172.16.200.0 255.255.255.0

access-list RestrictedVPN_splitTunnelAcl standard permit host 192.168.9.5

ip local pool Restricted_VPN_IP_Pool 172.16.200.1-172.16.200.50 mask 255.255.255.0

nat-control

nat (inside) 0 access-list nonat

aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.2.3
 timeout 60
 key cisco

crypto isakmp enable outside

group-policy RestrictedVPN internal
group-policy RestrictedVPN attributes
 dns-server value 192.168.2.1 192.168.2.2
 vpn-filter value RestrictedVPN_splitTunnelAcl
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RestrictedVPN_splitTunnelAcl
 default-domain value company.prv

tunnel-group RestrictedVPN type remote-access
tunnel-group RestrictedVPN general-attributes
 address-pool Restricted_VPN_IP_Pool
 authentication-server-group RADIUS
 default-group-policy RestrictedVPN
tunnel-group RestrictedVPN ipsec-attributes
 pre-shared-key *

Thank you
Anyone?
lack of communication