ASA 5520 Cient VPN

Posted on 2011-04-30
Last Modified: 2012-05-11
I have a ASA 5520 VPN client configured and working fine with RADIUS authentication AD server and DHCP on the ASA for the VPN client. I have 6 users that I need to have them access certain servers and nobody else but them.
I tried to creating a test user on the local ASA and assigned him static IP and tried to make the VPN authentication mixed RADUIS and LOCAL but with no luck didn't work for the local user only AD users!
The VPN pool rang is –, all I need is to have range of 6 IPs – outide of that VPN range to be assigned to those specific users so I can grant them access to the severs on the internal network. How do I do that? Your help is really appreciated.
Part of the config for VPN client is here:
enable Outside
group-policy DfltGrpPolicy attributes
 dns-server value
 vpn-tunnel-protocol IPSec svc webvpn
 group-lock value DefaultWEBVPNGroup
 address-pools value NNNVPNPool2
group-policy NNNVPNTUNNEL internal
group-policy NNNVPNTUNNEL attributes
 wins-server value
 dns-server value
 vpn-tunnel-protocol webvpn
 default-domain value ******
username XXXX password ********** encrypted privilege 15
username test password ********** encrypted privilege 15
username test attributes
 vpn-group-policy NNNVPNTUNNEL
tunnel-group DefaultRAGroup general-attributes
 authentication-server-group (Outside) RADIUS LOCAL
tunnel-group DefaultWEBVPNGroup general-attributes
 address-pool (Inside) NNNVPNPool
 address-pool NNNVPNPool2
 authentication-server-group RADIUS LOCAL
 authentication-server-group (Outside) RADIUS LOCAL
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 pre-shared-key ***********
tunnel-group NNNVPNTUNNEL type remote-access
tunnel-group NNNVPNTUNNEL general-attributes
 address-pool NNNVPNPool2
 authentication-server-group RADIUS LOCAL
 default-group-policy NNNVPNTUNNEL
tunnel-group NNNVPNTUNNEL ipsec-attributes
 pre-shared-key **********
Question by:modathir
    1 Comment
    LVL 13

    Accepted Solution

    You didn't list the details of NNNVPNPool2. I assume it defines –

    All you need to do is define NNNVPNPool3, which defines –

    Create a new group policy which use the authentication method you want (LOCAL?) and assign it to use NNNVPNPool3.

    Finally create ACL or other policy to define what – can access.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
    Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now