topic Re: Controlling VPN access in Network Access Control

Controlling VPN access

marty.finn — Sun, 10 Mar 2019 22:54:06 GMT

Hi Guys,

We have a Cisco ASA 5510 and ACS 4.1 configured and the users can VPN into ASA and are authenticated by the ACS which is mapped to Active Directory and all works well.

I now need to know how to configure VPN access to allow certain groups to have access only to certain IPs or IP ranges.

Please any help or links appreciated.

Re: Controlling VPN access

dominic.bilodeau — Wed, 11 Jun 2008 19:01:24 GMT

Use the command "vpn-filter value YOUR-ACL-NAME" under your group-policy.

Then create the Access-list with the ip/ports you want them to access.

For example:

group-policy TEST internal

group-policy TEST attributes

dns-server value 10.1.1.60

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value TEST_splitTunnelAcl

default-domain value TEST.com

vpn-filter value TEST_ACL

access-list TEST-ACL extended permit ip 10.1.1.0 255.255.255.0 10.1.3.3 255.255.255.255

This will allow access to any TCP ou UDP ports on host 10.1.3.3

Re: Controlling VPN access

marty.finn — Wed, 11 Jun 2008 21:11:48 GMT

Thank You.

I was able to set access through different tunnel groups on the ASA. This will require different configs in the Cisco VPN client.

Is there a way to have a single tunnel group and then somehow set ACL that are tied to different groups in Active Directory? That way all Cisco VPN clients are configured the same way but based on AD group would define access control?

Re: Controlling VPN access

dominic.bilodeau — Thu, 12 Jun 2008 00:31:26 GMT

Yes it's possible.

I am using one tunnel-group and many group-policy that matches some Windows Group in AD. So all I have to do is assign a particular windows user to a group to give him/her VPN access.

First: Specify a ldap-attribute-map under your aaa-server section. Also, you will need a user account with at least domain user rights in your domain (in my example the user is VPN-LDAP-User)

aaa-server VPN_AUTHOR protocol ldap

aaa-server VPN_AUTHOR (inside) host YOUR-LDAP-SERVER-IP

ldap-base-dn DC=your_domain,DC=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password (VPN-LDAP-User's password in AD)

ldap-login-dn CN=VPN-LDAP-User,CN=Users,DC=your_domain,DC=com server-type microsoft

ldap-attribute-map Map_Groups_VPN

Secondly: Map The AD group to a group Policy on your Pix/ASA

ldap attribute-map Map_Groups_VPN

map-name memberOf cVPN3000-IETF-Radius-Class

map-value memberOf CN=VPNGroupA,OU=VPN_Acces,OU=SECURITY,DC=your_domain,DC=com GroupA

map-value memberOf CN=VPNGroupB,OU=VPN_Acces,OU=SECURITY,DC=your_domain,DC=com GroupB

In the above example,if user john is member of Windows Group "VPNGroupA", he will be mapped to group-policy GroupA on ASA.

Then you create the GroupA policy similar to this:

group-policy GroupA internal

group-policy GroupA attributes

dns-server value 192.168.0.11 192.168.0.6

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

default-domain value your_domain.com

address-pools value Pool_Groupa

Please rate if this helps. It's hard to find good how-to for this so I'm glad to give you the detailed steps.

NB: Use "Debug ldap 255" to see how your LDAP query and mapping goes and seek for errors."

Also, make sure you have no spaces in your OU name under AD, because the ASA will not accept your map-value command (I had to figure it out after 2 hours of troubleshooting because I used "VPN Access" originallly)

Re: Controlling VPN access

marty.finn — Sun, 15 Jun 2008 15:41:19 GMT

Thank you very much for the instructions. I am a complete CLI newbie but I see if I am going to be doing any advanced config or getting help from the forums I am going to have to learn.

So while I am not exactly sure how to implement this yet I am going to go through slowly and figure it out.

Thanks again.

Re: Controlling VPN access

pemasirid — Sat, 24 Oct 2009 20:44:02 GMT

hi,

I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.

ACS Groups

Netadmin - need telnet/ssh/vpn/wireless

wireless - only wireless authentication

vpn - only vpn authenticaiton

I need to map the above ACS groups to one/or many AD groups and restric access as stated.

Also please note that one user can be belongs to all three groups in ACS/AD.

thanks in advance.

Re: Controlling VPN access

jerry.ely — Sat, 07 Nov 2009 20:18:59 GMT

I have been looking for some time to find exactly these instructions. They worked for me the very first time!