Can't you terminate the connections on two separate interfaces? I would create two virtual-templates and have each group just terminate on the different interface.
Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: <mailto:[email protected]> [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: <http://www.ipexpert.com/chat> www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at <http://www.ipexpert.com/communities> www.ipexpert.com/communities and our public website at <http://www.ipexpert.com> www.ipexpert.com From: Mohamed Gazzaz [mailto:[email protected]] Sent: Wednesday, February 17, 2010 12:13 PM To: [email protected]; [email protected]; [email protected] Subject: RE: [OSL | CCIE_Security] Virtual Private Dialup Network - VPDN Tyson, Actually, we are doing this on a router. Currently we are using a small room as a data center and we are in the process of building our main data center. We can use an ACL as you said on the Virtual-template but that would limit us too (IT staff). I created 2 VPD-groups with 2 ip pools and 2 different policies but the router always selects the first default group; I don't know how to get to the second group. We are using a local database on the router and I was also able to authenticate the users with Active directory. Maybe I can use domain names to tie groups with domain names? I think I will give SSL-VPN a shot, or let the external consultants use VPDN + ACL and let us use SSL-VPN or EZVPN. Regards, Mohamed Gazzaz _____ From: [email protected] To: [email protected]; [email protected]; [email protected] Subject: RE: [OSL | CCIE_Security] Virtual Private Dialup Network - VPDN Date: Wed, 17 Feb 2010 11:26:22 -0500 Mohammed, You can use an ACL on your Virtual-Template interface to control what they gain access to if you are doing this on a router. I would have to research to know what to do on the ASA for VPDN. Regards, Tyson Scott - CCIE #13513 R&S, Security, and SP Technical Instructor - IPexpert, Inc. Mailto: [email protected] Telephone: +1.810.326.1444, ext. 208 Live Assistance, Please visit: www.ipexpert.com/chat eFax: +1.810.454.0130 IPexpert is a premier provider of Classroom and Self-Study Cisco CCNA (R&S, Voice & Security), CCNP, CCVP, CCSP and CCIE (R&S, Voice, Security & Service Provider) Certification Training with locations throughout the United States, Europe and Australia. Be sure to check out our online communities at www.ipexpert.com/communities and our public website at www.ipexpert.com From: [email protected] [mailto:[email protected]] On Behalf Of Mohamed Gazzaz Sent: Wednesday, February 17, 2010 7:23 AM To: [email protected]; [email protected] Subject: [OSL | CCIE_Security] Virtual Private Dialup Network - VPDN Hello, Basically, we have some external contractors/consultants who are accessing our SAP servers via VPDN. We want to limit their access to some servers so what is the best way to do that? I don't have a lot of experience with VPDN and this stuff is new to me. Here is the scenario: The consultants connect to our public ip address via VPDN and they get a local ip address which allow them to access the local servers. There is only one group and I guess I can use access-lists to limit their access but I don't want to limit myself and other IT staff. I tried to create two VPDN groups but the router always select the first group (the default one). I thought about SSL-VPN but I don't know if I will have some compatibility issues with SAP applications ( clientless mode - the management does not want the full tunnel mode) Easy-vpn is not an option because of the management again. Any ideas or suggestions will be highly appreciated. Regards, Mohamed Gazzaz _____ Hotmail: Free, trusted and rich email service. Get it now. <https://signup.live.com/signup.aspx?id=60969> _____ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. Sign up now. <https://signup.live.com/signup.aspx?id=60969>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
