AnyConnect to DMZ

XorgeD used Ask the Experts™

I am new to the ASA, I need some help with the following

I need an SSL VPN client to access only a particular DMZ Sub interface/VLAN, I have several. Some of my internal servers access some servers on the DMZ with no problem there, each DMZ VLAN has NAT so every VLAN outputs traffic through a different public IP

I configured the 5520 for SSL VPN, the AnyConnect client is "Connecting", auth is local
the client is receiving an IP from the vpnpool I configured but I don't know how to input the NAT Exemption Rules, Routes or ACL's for the VPN Client to reach the desired VLAN

The idea is to build a config that depending on the user connecting, the SSL VPN tunnels points that connection to the appropriate DMZ/VLAN

Thanks in advance

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
to have different clients have different access capabilities I would usually use LDAP authentication and use Group Membership to select the appropriate group policy on the ASA, the group policy can then contain the appropriate ACL


This can also be achieved using local authentication, right?
Yes, you can use local authentication for this.

You can create a group policy for each requirement and then select local users when you assign them. The policies are exclusive, you can only assign one of them to a user/group.

You can a single split tunnelling rule and a single ACL per group policy. The ACL can of course have multiple accept/deny rules within it.


Thanks, That clarified quite a few ideas for me

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial