I'm currently configuring Remote Access-VPN for our network. I manage our firewall with FDM and I followed the configuration wizard and I can connect with anyconnect. The problem I'm having is that I need to restrict employees from our admin network when using VPN. I thought I could have two VPN pools like this :
Employee-VPN : 10.10.10.0/24
And our inside network have
Employee : 192.168.10.0/24
Admin : 192.168.20.0/24
But that doesnt seem like the case. With the configuration in the FDM I could only choose one pool of addresses to give the VPN users. I tried giving the VPN users an address from the 10.10.10.0/24 network but then no one could access anything on the inside. if I instead changed one of the inside networks to a /25 and gave the VPN users the remaning network of /25 I could access everything.( I recon this have something to do with static routes but then again, I cant have an address of the VPN pool on one of the interfaces so how do I make a route to that network without a gateway?)
So I was trying to use this subnet 10.10.10.0/25 to internal users and 10.10.10.128/25 to our VPN users, but how do I restrict so that if u have an admin account you can access everything and if you have an employee account you can only access our webserver. There arent many options or configuration guides available to the FDM or the CLI.
Any help would be appreciated.
Solved! Go to Solution.
Are we talking about changes in the AD or on the Firewall? as in GP etc. How would I do a DACL on the firewall based on group membership?
I cant seem to find options needed for this on the Firepower with the FDM.