topic Re: Can you have different SSL WebVPN's on Cisco ASA 5520? in Network Security

Can you have different SSL WebVPN's on Cisco ASA 5520?

jamesgonzo — Fri, 21 Feb 2020 10:56:21 GMT

Hi,

What I mean is I want to give a company access to an internal website and another company access to a different website, they can only access one website (bookmark)?

Thanks

Re: Can you have different SSL WebVPN's on Cisco ASA 5520?

andrew.prince — Fri, 25 Jul 2008 22:18:38 GMT

In the docs its loose.... me personally, the only thing I have got working in a lab is the drop down group option with all the other bells and whistles, which works quite well. I have not been able to get back to this one in ages, no time soon either, but the below link may point you in the right direction.....unless someone else has cracked this:-

http://www.cisco.com/en/US/customer/products/ps6120/prod_configuration_examples_list.html

HTH>

Re: Can you have different SSL WebVPN's on Cisco ASA 5520?

Farrukh Haroon — Sat, 26 Jul 2008 09:21:48 GMT

The following link will guide you to a step-by-step process to achieve this:

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00808bd83d.shtml

Another alternate is the group-url command, but I don't think it supports the following:

asa-ip/sales

asa-ip/marketing

But it does support

https://sales-ssl-vpn

https://marketing-ssl-vpn

Regards

Farrukh

Re: Can you have different SSL WebVPN's on Cisco ASA 5520?

whiteford — Sun, 27 Jul 2008 19:04:48 GMT

Do you mean I should just create an Alias for each SSL VPN profile with only the Bookmarks each company needs then email them the URL?

Can I only accept connections from their external facing IP as well?

Thanks

Re: Can you have different SSL WebVPN's on Cisco ASA 5520?

Farrukh Haroon — Mon, 28 Jul 2008 01:09:38 GMT

If you have just one IP address, go for the tunnel drop-down menu (as seen on the CCO Doc). That would be a more practical option.

Regards

Farrukh

Re: Can you have different SSL WebVPN's on Cisco ASA 5520?

jamesgonzo — Mon, 28 Jul 2008 06:26:34 GMT

Interesting,

1.) How can I use a different Ip that the "outside" IP?

2.) I'm strugglinh to find this CCO doc for the tunnel drop-down menu what is this?

Thanks

Re: Can you have different SSL WebVPN's on Cisco ASA 5520?

Farrukh Haroon — Mon, 28 Jul 2008 06:54:53 GMT

1) I'm not aware of anyway, maybe NAT on a upstream device (but I doubt it)

2) DId you not chek this link: http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a00808bd83d.shtml

Regards

Farrukh

Re: Can you have different SSL WebVPN's on Cisco ASA 5520?

jamesgonzo — Mon, 28 Jul 2008 07:18:56 GMT

Strange thing is I don't have access to that site.

Re: Can you have different SSL WebVPN's on Cisco ASA 5520?

Farrukh Haroon — Mon, 28 Jul 2008 07:37:36 GMT

All you have to do is login using your regular Cisco Account or try this link:

http://www.cisco.com/application/pdf/paws/98580/enable-group-dropdown.pdf

Regards

Farrukh

Re: Can you have different SSL WebVPN's on Cisco ASA 5520?

jamesgonzo — Mon, 28 Jul 2008 09:18:16 GMT

Great, that has worked,

1.) I suppose I should not call the group name something like "My Company" as anyone can get to the page on the internet, unless I can restrict this site only to their external IP?

2.) It seems I can get to the site either by:

https://asa-ip/ (with drop down)

https://asa-ip/alias

Is this normal or more secure to somehow only use https://asa-ip/alias, but I'm not sure I can turn off the https://asa-ip/?

3.) I have created another alias/bookmarks for another company (have 2 profiles now) thing is they can logon to each others alias, how do I stop this? I want company A to access group A and company B access group B only.

Thanks

Re: Can you have different SSL WebVPN's on Cisco ASA 5520?

Farrukh Haroon — Mon, 28 Jul 2008 11:11:22 GMT

1) If your SSL VPN is on the internet, you need to control access to the ASA Public IP using an ACL (lets say on your upstream router etc.)

2) I guess this is normal, I doubt you can turn of the ASA-ip thing. That will destroy the purpose of drop-down anyway.

3) You can use 'group-lock' to lock users to particular groups (both locally and via AAA AFAIK).

Regards

Farrukh

Re: Can you have different SSL WebVPN's on Cisco ASA 5520?

jamesgonzo — Mon, 28 Jul 2008 11:31:50 GMT

1.) Can the ASA do this? The 'outside' interface connects to our ISP router (we don't have access), can a ACL be created only to allow external SSL connects from their public IP's.

2.) Group-lock sounds like just what I need, is this on ASA's ASDM? I'm using IAS for Radius.

2.1) I wanted to use a local user account for this (priv 0) but I found out that I could get into the CLI with the account! Can I stop this?

Re: Can you have different SSL WebVPN's on Cisco ASA 5520?

Farrukh Haroon — Mon, 28 Jul 2008 12:11:54 GMT

1) By default I don't think, you might have to turn of sysopt. Not 100% sure about this.

2) Yes it should be available both on the CLI/ASDM. It can also be pushed via AAA.

2.1) priv 0 can get into the CLI but what can he do? Also you can restrict management traffic by using ASA ACL (ssh/telnet commands)

Regards

Farrukh

Re: Can you have different SSL WebVPN's on Cisco ASA 5520?

jamesgonzo — Mon, 28 Jul 2008 12:29:27 GMT

Hi,

I suppose it can be open to the world asong as it's secure. I just need to work out if "company A" logs on they get "bookmarks A" and if "company B" logs on they get "bookmarks B", plus company A can't access company B bookmarks.

You mention group-lock, I will use a local username for each company now, but I'm really struggling to find this group-lock function on the ASDM.

Re: Can you have different SSL WebVPN's on Cisco ASA 5520?

blawrimore1 — Mon, 28 Jul 2008 12:52:22 GMT

i use dynamic access policies to achieve this without using aliases. im using cisco acs, and apply in the radius class field (number 25) with a setting, i use OU=groupPolicy, where groupPolicy is the name of a specific group policy i have defined in the config. then i go to DAP and check for this RADIUS setting (not cisco setting). after it catches it, i can define bookmarks, acl's banners, etc for everyone with this OU setting. you must check for the entire OU=groupPolicy phrase, or whatever you throw in there. it could be something like goPackers or something arbitrary like that. i use group policy so i can use the same DAP for ipsec vpns.

Re: Can you have different SSL WebVPN's on Cisco ASA 5520?

jamesgonzo — Mon, 28 Jul 2008 13:01:46 GMT

What RADIUS are you using? IAS etc

Re: Can you have different SSL WebVPN's on Cisco ASA 5520?

blawrimore1 — Mon, 28 Jul 2008 17:14:22 GMT

im using cisco's ACS server, but any ietf radius will do. im not familiar enough with IAS to tell you where to add the parameters for policy 25 (Class).

ill give you more info on how im using radius in my config:

RA vpn with tunnel group name definition. iow, the pre-shared key and tunnel group are derived from the vpn client profile and matched against RA tunnel group with same name and key. this way i only have one pcf to give out to users.

aaa against radius box. the OU=xxx in parameter 25 define for both RAvpn and WebVPN the group policy to use. i further drill down each remote vendor gets access to which server by creating book marks for each vendor and using DAP to match both parameter 25 and 24 (State). 25 says put in remote vendor (or local user, whatever GP's i have defined already) and 24 will define the DAP with the specific URL-List for the specific vendor. i have to create multiple DAP's: one DAP for each vendor. one GP for all my users in a group for a base GP.

i have three groups: MIS, Normal-Users, and Vendors. I have defined one tunnel group, All-users. i have three GP's: MIS, Normal-users, Vendors. I have five DAPs: Default, MIS, Normal-Users-Dap, Vendor1-DAP, Vendor2-DAP. MIS and Normal Users DAPs check against parameter 25 only and are assigned accordingly. Vendor1 and 2 Daps check against 25 and 24 and are assigned accordingly. i assign parameter 25 on the group of remote vendors in my Radius and parameter 24 on the individual user. any remote vendor that logs in with 24 unassigned gets no bookmarks at all (Default DAP) and therefore zero access to the network. i did this just in case i neglected to assign parameter 24.

sorry for the long note, hope it makes sense. just make sure you can assign those parameter values (24 and 25) in IAS and you should be golden with DAP's. btw, with those parameters, i also have complete customization to RAvpn's, too, with network lists, etc.