cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
395
Views
5
Helpful
2
Replies
Beginner

ASA 5508-X Restrict VPN users / address problem

Hi!

 

I'm currently configuring Remote Access-VPN for our network. I manage our firewall with FDM and I followed the configuration wizard and I can connect with anyconnect. The problem I'm having is that I need to restrict employees from our admin network when using VPN. I thought I could have two VPN pools like this :

Employee-VPN : 10.10.10.0/24

Admin-VPN: 20.20.20.0/24 

 

And our inside network have

Employee : 192.168.10.0/24

Admin : 192.168.20.0/24

 

But that doesnt seem like the case. With the configuration in the FDM I could only choose one pool of addresses to give the VPN users. I tried giving the VPN users an address from the 10.10.10.0/24 network but then no one could access anything on the inside. if I instead changed one of the inside networks to a /25 and gave the VPN users the remaning network of /25 I could access everything.( I recon this have something to do with static routes but then again, I cant have an address of the VPN pool on one of the interfaces so how do I make a route to that network without a gateway?)

 

So I was trying to use this subnet 10.10.10.0/25 to internal users and 10.10.10.128/25 to our VPN users, but how do I restrict so that if u have an admin account you can access everything and if you have an employee account you can only access our webserver. There arent many options or configuration guides available to the FDM or the CLI. 

 

Any help would be appreciated.

Everyone's tags (6)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
RJI Advisor
Advisor

Re: ASA 5508-X Restrict VPN users / address problem

Hi,
A VPN Pool is attached to a Group Policy, if the admin and employee users is assigned the same GP then that why that won't work for you. Do you use a RADIUS server to authenticate the users? If so you could assign a separate GP depending on users' group membership. Alternatively you could also just assign a DACL, which would permit/deny traffic as required depending on the group membership.

HTH

View solution in original post

2 REPLIES 2
Highlighted
RJI Advisor
Advisor

Re: ASA 5508-X Restrict VPN users / address problem

Hi,
A VPN Pool is attached to a Group Policy, if the admin and employee users is assigned the same GP then that why that won't work for you. Do you use a RADIUS server to authenticate the users? If so you could assign a separate GP depending on users' group membership. Alternatively you could also just assign a DACL, which would permit/deny traffic as required depending on the group membership.

HTH

View solution in original post

Highlighted
Beginner

Re: ASA 5508-X Restrict VPN users / address problem

Are we talking about changes in the AD or on the Firewall? as in GP etc. How would I do a DACL on the firewall based on group membership? 

 

I cant seem to find options needed for this on the Firepower with the FDM.