Restrict VPN access by VPN group

[maelx]

I have 3 vpngroups (and corresponding ip pools) setup and want to limit access to specific services/IPs based on this.

I know I need to restrict based on ACL's but how do I have them apply? Is it the crypto map statement?

vpn1 192.168.10.0 access to all 10.10.10.0:all
vpn2 192.168.20.0 access to 10.10.10.20:80,443
vpn3 192.168.30.0 access to 10.10.10.30:25,110

Thanks in advance,
Brent

 

[nm2k4]

Your best option is to use downloadable access lists from a radius server (this is also the most manageable). Otherwise remove the sysopt connection permit-ipsec command and explicitly define the rules in the access=-lists

 

[maelx]

Unfortunately a RADIUS server config is beyond the scope of the project. I only have three groups so RADIUS would probably be overkill. (I will definitely try my hand at it later though. )

What I can't figure out is exactly how to go about it and where to apply the access lists? I searched and could find no examples to help. My attempts always bomb.

I am looking for a vanilla example that I can figure out and then tweak to my own.

Thanks again