https://community.cisco.com/t5/network-security/vpn-anyconnect-user-authorization/m-p/2463531#M270115 <DIV><DIV><DIV><P>Hi,</P></DIV></DIV><DIV><DIV><P></P><P>We have ASA configured for VPN Anyconnect &amp; large subnets are allowed for VPN users via split tunnelling. All VPN user are authenticating via AAA. Then we have created VPN users in ACS &amp; restrict the users access to particular subnets via Downloadable ACL.</P><P></P><P>Problems:</P><P>~~~~~~~~</P><P>dACL on ACS works but not good enough as suppose we have restrict VPN user to particular subnet via dACL, once he will reach that subnet devices, then from that device(Switch/Router) he is able to access any device which is not allowed in dACL.</P><P></P><P>HOW WE CAN RESTRICT VPN USER THAT IF HE IS ALLOWED TO ACCESS ONLY SUBNET1 in dACL, HE SHOULD NOT BE ALLOWED/ ABLE TO GOTO SUBNET 2 SWITCH/ROUTER ETC. FROM ALLOWED SUBNET 1. PEOPLE KNOW THIS TRICK OF JUMPING FROM ALLOWED SUBNET DEVICES TO NOT ALLOWED SUBNET DEVICES AND THEY MISS USE IT.</P><P>&nbsp;&nbsp; </P><P>OR if you have any other better way, then please advise.</P><P></P><P>All devices are configured with TACACS. We are using ASA 8.4 and ACS 4.2.</P><P></P><P>Thanks</P></DIV></DIV></DIV> Tue, 12 Mar 2019 03:41:47 GMT raza555 2019-03-12T03:41:47Z https://community.cisco.com/t5/network-security/vpn-anyconnect-user-authorization/m-p/2463531#M270115 <DIV><DIV><DIV><P>Hi,</P></DIV></DIV><DIV><DIV><P></P><P>We have ASA configured for VPN Anyconnect &amp; large subnets are allowed for VPN users via split tunnelling. All VPN user are authenticating via AAA. Then we have created VPN users in ACS &amp; restrict the users access to particular subnets via Downloadable ACL.</P><P></P><P>Problems:</P><P>~~~~~~~~</P><P>dACL on ACS works but not good enough as suppose we have restrict VPN user to particular subnet via dACL, once he will reach that subnet devices, then from that device(Switch/Router) he is able to access any device which is not allowed in dACL.</P><P></P><P>HOW WE CAN RESTRICT VPN USER THAT IF HE IS ALLOWED TO ACCESS ONLY SUBNET1 in dACL, HE SHOULD NOT BE ALLOWED/ ABLE TO GOTO SUBNET 2 SWITCH/ROUTER ETC. FROM ALLOWED SUBNET 1. PEOPLE KNOW THIS TRICK OF JUMPING FROM ALLOWED SUBNET DEVICES TO NOT ALLOWED SUBNET DEVICES AND THEY MISS USE IT.</P><P>&nbsp;&nbsp; </P><P>OR if you have any other better way, then please advise.</P><P></P><P>All devices are configured with TACACS. We are using ASA 8.4 and ACS 4.2.</P><P></P><P>Thanks</P></DIV></DIV></DIV> Tue, 12 Mar 2019 03:41:47 GMT https://community.cisco.com/t5/network-security/vpn-anyconnect-user-authorization/m-p/2463531#M270115 raza555 2019-03-12T03:41:47Z https://community.cisco.com/t5/network-security/vpn-anyconnect-user-authorization/m-p/2463532#M270116 <HTML><HEAD></HEAD><BODY><P>Hello Riz,</P><P></P><P>At the moment where the device jumps to another box and starts using that box the security failure is actually not on the client o dACL but on the router that is used for SSH,Telnet client.</P><P></P><P>If you want to disable a cisco router or telnet client for being used as a terminal client do:</P><P></P><P>line vty 0 4</P><P>transport output none </P><P></P><P></P><P>You could also perform authorization ;for that user and deny those SSH,Telnet sessions but this will might impact legitimate traffic.</P><P></P><P></P><P>Looking for some Networking Assistance?&nbsp; <BR /><SPAN>Contact me directly at </SPAN><A class="jive-link-email-small" href="mailto:jcarvaja@laguiadelnetworking.com">jcarvaja@laguiadelnetworking.com</A><SPAN> </SPAN><BR /> <BR />I will fix your problem ASAP. <BR /> <BR />Cheers, <BR /> <BR />Julio Carvajal Segura <BR /><A class="jive-link-external-small" href="http://laguiadelnetworking.com">http://laguiadelnetworking.com</A></P></BODY></HTML> Fri, 07 Feb 2014 05:07:54 GMT https://community.cisco.com/t5/network-security/vpn-anyconnect-user-authorization/m-p/2463532#M270116 Julio Carvajal 2014-02-07T05:07:54Z https://community.cisco.com/t5/network-security/vpn-anyconnect-user-authorization/m-p/2463533#M270117 <HTML><HEAD></HEAD><BODY><P>Another option you could implement are access lists on the VTY line, that permit access only from certain IP addresses that are used by administrators.&nbsp; This IP range should be different from what is configured on the routers and switches so they will not be able to hop via a router to another subnet.</P><P></P><P>access-list 1 permit 172.16.1.0 0.0.0.255</P><P>line vty 0 15</P><P>access-class 1 in</P><P></P><P></P><P>-- <BR />Please remember to rate and select a correct answer</P></BODY></HTML> Fri, 07 Feb 2014 08:57:55 GMT https://community.cisco.com/t5/network-security/vpn-anyconnect-user-authorization/m-p/2463533#M270117 Marius Gunnerud 2014-02-07T08:57:55Z