I recently purchased an ASA 5520 and was extremely disappointed when I found out that one cannot do sub-interfaces and VPN connections at the same time... must choose one or the other. Because of this, I am asking the following question:
I have a lab that is home to many projects, and each project is on a separate private LAN. I'm trying to make it such that external users of the lab can VPN into the lab environment, but I want to limit their access to to their project's LAN. These will be client VPNs, so the access will need to be based on username rather than IP address. I know I can do this by assigning an ACL to the user in the user's attributes section. However, my problem is that I have more than 3 networks that exist, but the ASA limits me to 3 interfaces since I cannot do sub-interfaces and VLAN trunking via multiple contexts at the same time I do VPN connections. What I could do is have a router connected to an inside interface on the ASA and hang all of the private test networks off of the router, but then I don't know how to let the router know which ACLs should apply to each user so as to limit each user to only the network their project is on. Is this at all possible?
Thanks in advance!