We help IT Professionals succeed at work.

CiscoVPN authentication on ASA 5510 using IAS AND restricting it to one server inside

netcmh used Ask the Experts™
Dear all,

How does one go about doing this?

I've read a couple of pages on EE and some on techrepublic. But, it's left me confused.

Does anyone have a step by step to help me?

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Technical Consultant

to restricy to one accessible IP address see step 12 of the firewall config section


[url=http://www.petenetlive.com/KB/Article/0000071.htm]IAS VPN[/url
Pete LongTechnical Consultant

Thank you for those instructions. I'm going to try them out today.

Are these instructions going to be compatible with pre-existing site-to-site VPN configs already in place? I wouldn't want those configs to change.
After following the instructions, my client laptop with the same settings just keeps getting "contacting the security gateway at xxx.xxx.xxx.xxx", and then gets "terminated by peer" reason 433: reason not specified by peer

Any ideas?
Btw, i've tried the isakmp nat-traversal fix, did not work
have also set the VPN idle timeout to none
I'm sorry but, can I throw in one more complexity - there's an ISA in between the ASA and the IAS.

past the previous issue. client gets connected. ad authentication happening, all good.

But I can't do anything once connected. Any ideas?
how would i modify your config to say:

user dummy1 can only access one IP address eg. for RDP ie. 3389

I created the extended list and added it to the group-policy. what else am i to do?

Please help.

What's wrong with this config? Permitting VPN users only to

access-list nonat extended permit ip host

access-list RestrictedVPN_splitTunnelAcl standard permit host

ip local pool Restricted_VPN_IP_Pool mask


nat (inside) 0 access-list nonat

aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host
 timeout 60
 key cisco

crypto isakmp enable outside

group-policy RestrictedVPN internal
group-policy RestrictedVPN attributes
 dns-server value
 vpn-filter value RestrictedVPN_splitTunnelAcl
 vpn-tunnel-protocol IPSec
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value RestrictedVPN_splitTunnelAcl
 default-domain value company.prv

tunnel-group RestrictedVPN type remote-access
tunnel-group RestrictedVPN general-attributes
 address-pool Restricted_VPN_IP_Pool
 authentication-server-group RADIUS
 default-group-policy RestrictedVPN
tunnel-group RestrictedVPN ipsec-attributes
 pre-shared-key *

Thank you
lack of communication