cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


496
Views
0
Helpful
2
Replies
Highlighted
Beginner

VPN Anyconnect user authorization

Hi,

We have ASA configured for VPN Anyconnect & large subnets are allowed for VPN users via split tunnelling. All VPN user are authenticating via AAA. Then we have created VPN users in ACS & restrict the users access to particular subnets via Downloadable ACL.

Problems:

~~~~~~~~

dACL on ACS works but not good enough as suppose we have restrict VPN user to particular subnet via dACL, once he will reach that subnet devices, then from that device(Switch/Router) he is able to access any device which is not allowed in dACL.

HOW WE CAN RESTRICT VPN USER THAT IF HE IS ALLOWED TO ACCESS ONLY SUBNET1 in dACL, HE SHOULD NOT BE ALLOWED/ ABLE TO GOTO SUBNET 2 SWITCH/ROUTER ETC. FROM ALLOWED SUBNET 1. PEOPLE KNOW THIS TRICK OF JUMPING FROM ALLOWED SUBNET DEVICES TO NOT ALLOWED SUBNET DEVICES AND THEY MISS USE IT.

  

OR if you have any other better way, then please advise.

All devices are configured with TACACS. We are using ASA 8.4 and ACS 4.2.

Thanks

Everyone's tags (5)
2 ACCEPTED SOLUTIONS

Accepted Solutions

VPN Anyconnect user authorization

Hello Riz,

At the moment where the device jumps to another box and starts using that box the security failure is actually not on the client o dACL but on the router that is used for SSH,Telnet client.

If you want to disable a cisco router or telnet client for being used as a terminal client do:

line vty 0 4

transport output none

You could also perform authorization ;for that user and deny those SSH,Telnet sessions but this will might impact legitimate traffic.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
VIP Advocate

VPN Anyconnect user authorization

Another option you could implement are access lists on the VTY line, that permit access only from certain IP addresses that are used by administrators.  This IP range should be different from what is configured on the routers and switches so they will not be able to hop via a router to another subnet.

access-list 1 permit 172.16.1.0 0.0.0.255

line vty 0 15

access-class 1 in

--
Please remember to rate and select a correct answer

--
Please remember to rate and select a correct answer
2 REPLIES 2

VPN Anyconnect user authorization

Hello Riz,

At the moment where the device jumps to another box and starts using that box the security failure is actually not on the client o dACL but on the router that is used for SSH,Telnet client.

If you want to disable a cisco router or telnet client for being used as a terminal client do:

line vty 0 4

transport output none

You could also perform authorization ;for that user and deny those SSH,Telnet sessions but this will might impact legitimate traffic.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
VIP Advocate

VPN Anyconnect user authorization

Another option you could implement are access lists on the VTY line, that permit access only from certain IP addresses that are used by administrators.  This IP range should be different from what is configured on the routers and switches so they will not be able to hop via a router to another subnet.

access-list 1 permit 172.16.1.0 0.0.0.255

line vty 0 15

access-class 1 in

--
Please remember to rate and select a correct answer

--
Please remember to rate and select a correct answer