Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1065
Views
5
Helpful
2
Replies

ASA 5508-X Restrict VPN users / address problem

Go to solution
pannkakan_1
Level 1
Level 1

‎05-24-2018 06:43 AM - edited ‎02-21-2020 07:48 AM

Hi!

 

I'm currently configuring Remote Access-VPN for our network. I manage our firewall with FDM and I followed the configuration wizard and I can connect with anyconnect. The problem I'm having is that I need to restrict employees from our admin network when using VPN. I thought I could have two VPN pools like this :

Employee-VPN : 10.10.10.0/24

Admin-VPN: 20.20.20.0/24 

 

And our inside network have

Employee : 192.168.10.0/24

Admin : 192.168.20.0/24

 

But that doesnt seem like the case. With the configuration in the FDM I could only choose one pool of addresses to give the VPN users. I tried giving the VPN users an address from the 10.10.10.0/24 network but then no one could access anything on the inside. if I instead changed one of the inside networks to a /25 and gave the VPN users the remaning network of /25 I could access everything.( I recon this have something to do with static routes but then again, I cant have an address of the VPN pool on one of the interfaces so how do I make a route to that network without a gateway?)

 

So I was trying to use this subnet 10.10.10.0/25 to internal users and 10.10.10.128/25 to our VPN users, but how do I restrict so that if u have an admin account you can access everything and if you have an employee account you can only access our webserver. There arent many options or configuration guides available to the FDM or the CLI. 

 

Any help would be appreciated.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎05-25-2018 03:04 AM

Hi,
A VPN Pool is attached to a Group Policy, if the admin and employee users is assigned the same GP then that why that won't work for you. Do you use a RADIUS server to authenticate the users? If so you could assign a separate GP depending on users' group membership. Alternatively you could also just assign a DACL, which would permit/deny traffic as required depending on the group membership.

HTH

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎05-25-2018 03:04 AM

Hi,
A VPN Pool is attached to a Group Policy, if the admin and employee users is assigned the same GP then that why that won't work for you. Do you use a RADIUS server to authenticate the users? If so you could assign a separate GP depending on users' group membership. Alternatively you could also just assign a DACL, which would permit/deny traffic as required depending on the group membership.

HTH

Go to solution
pannkakan_1
Level 1
Level 1
In response to Rob Ingram

‎05-28-2018 12:17 AM - edited ‎05-28-2018 12:21 AM

Are we talking about changes in the AD or on the Firewall? as in GP etc. How would I do a DACL on the firewall based on group membership? 

 

I cant seem to find options needed for this on the Firepower with the FDM.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card