So you have a Cisco ASA and you want to limit a particular user's access. It's a common scenario and one that's pretty simple to deal with. This works for 7.2(3) and I believe the commands are the same for 8.x
!! Create the user normally
username BobDobbs password *****
!! Assign the user a static IP. I use one that is in the same network as the Group's ip pool, but not in the pool.
!! For example if the pool is 192.168.4.2/24 - 192.168.4.60/24, I'd assign this user 192.168.4.61.
username BobDobbs attributes
vpn-group-policy RA-Client-Policy
vpn-framed-ip-address x.x.x.x 255.255.255.0
!! Create an ACL which permits the new user's address to do what you want, block them from doing anything else, then allow everyone else (or whatever you deem appropriate)
access-list RA-Client-ACL-01 extended permit ip host x.x.x.x host y.y.y.y
access-list RA-Client-ACL-01 extended deny ip host x.x.x.x any
access-list RA-Client-ACL-01 extended permit ip any any
!! Finally, apply that ACL to the group-policy
group-policy RA-Client-Policy attributes
vpn-filter value RA-Client-ACL-01
end
Thursday, May 27, 2010
Subscribe to:
Posts (Atom)
Posts
