Announcement

Collapse
No announcement yet.

ASA 5505, restrict VPN users access to server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ASA 5505, restrict VPN users access to server

    Hi.

    On a excisting network with ASA 5505, a customer want to allow some VPN users to be able to access server A and B, and other VPN users not to be able to access server B.

    I have created another Tunnel Groups using VPN Wizard, and on step 10 (Address Translation Exemption..) I thought that if I only select Server A, access to B will be denied.
    But this does not work.

    How to accomplish that? (I am much better with ASDM than CLI...)

    Regards Steffen

  • #2
    Re: ASA 5505, restrict VPN users access to server

    Hi Steffen,


    Cisco link:

    hxxp://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008046f31a.sht ml#NEX1

    NAT Exemption

    NAT exemption exempts addresses from translation and allows both real and remote hosts to originate connections. NAT exemption lets you specify the real and destination addresses when determining the real traffic to exempt (similar to policy NAT), so you have greater control using NAT exemption than identity NAT. However unlike policy NAT, NAT exemption does not consider the ports in the access list. Use static identity NAT to consider ports in the access list.

    Exemption is only translate addres(ses) or not. It's not meant to block traffic.

    If you want to deny a VPN client usergroup access to a particular server or TCP port of that server, you will have to use ACL's to accomplish this.

    Greetz,

    Jaap

    Comment

    Working...
    X