Cisco IOS Remote Access VPN Restricting Traffic

Posted on 2011-10-27
Last Modified: 2013-11-08
Hi Experts,
I want to have multiple remote access vpn configurations.
One will be used for internal employees, one for contractors.
Both use a Windows 2008 NAP/Radius profile.
The internal employees get access to the entire subnet.
The contractors get access to one server.
How do I configure the IOS firewall with two profiles to do this? I have done it before with ASA. There are no articles I can find, or are there?
Im using a crypto isakmp client configuration group xxxxx and applying it to the outside interface. I'm also using split-tunneling...I
I don't want to have to past the config so if you can lend me an example or link to exactly this configi it would be appreciated.
Thanks in advance.
Question by:Joesmail
    LVL 18

    Accepted Solution

    I think what you're trying to do requires RADIUS on the back end to authenticate the user and put them into a particular group.  Take a look at and see if it helps.  By using ACS you can assign the user to a group and apply an ACL on what they're allowed to access.
    LVL 1

    Expert Comment

    Within NAP VPN enforcement you have the ability to restrict access by creating custom policies on NPS. This is done either with IP filters or using a remediation servers group.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

     One of the main issues with network wires is that you never have enough.  You run plenty and plan for the worst case but you still end up needing more.  What many people do not realize is with 10BaseT and 100BaseT (but not 1000BaseT) networks you …
    This article is a how to to configure a UCS Ethernet-uplink portchannel via the console. It is easy to do and can be done quite quickly. In certain versions of the UCS manager the portchannel has issues coming up and this is a workaround. I am…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now