Hi Gilbert,

tnx for your reply.

I've already taken the measures you described, but I need to go further.

If the only alternative I've got is to dedicate an asa to each application I'll go that way.

Tnx again,

Max.

Max,

You do not have to dedicate two ASA's for this reason.

You can pass down user based ACL from the ACS server for the particular user connecting.

So, that should help you out.

Cheers

Gilbert

Rate this post, if it helps.

Gilbert,

I'm a little confused, are the acl's bindable to a specific interface or tunnel group?

I want to completely avoid some wireless users to connect from home, fom some I want them to connect with much less privileges than those they have at the work place, can I obtain this with acl's?

Tnx,

Max.

Max,

I re-read your problem and my answers to you.

So, in jist you do not want the users of wireless to change the IP address and connect to the ASA and access your corporate network, is that correct.

You have two options.

a. Bind the user to a group-policy and allow access to specified resources using vpn-filter

This is on the ASA itself.

b. user downloadable ACL for user authentication through a RADIUS ACS server so that the acl can provide what access the user gets.

Hope this helps. Rate this post.!!

Thanks

Gilbert

Gilbert,

Maybe I'm missing something....I've already binded the users to their group policy, but if I cannot statically bind the policy itself (or the tunnel group) to an interface this is going to be uneffective, since all the policies are applied dinamically to any interface where the connection comes in (or permanently to all the interfaces where a dynamic crypto map is in place, don't know).

The same applies, for my knowledge, to dowloadable acl, which also works at the user level without any knoledge of the interface the users comes in, this ends up to grant the same rights to the users regarding to the interface they are coming in.

Am I right?

Tnx,

Max.

Max -

Maybe we are not getting something through here..so, let me explain..

Lets say - you have two networks,

10.10.10.x/24 and 20.20.20.x/24 inside of the ASA.

The wireless users are connecting to an IP add 1.1.1.1 to a tunnel group- wireless and group-policy wireless group. And you can configure the user on the ASA for that group-policy wireless group. You can also configure the "group-lock" feature which puts the user in the group you configured for and if he came in on a different group - it will get rejected.

In addition to that you can configure vpn-filter for the particular group policy and say which network you want them access to.

Now, if the user comes into the ASA to an IP which is on the internet, lets say 2.2.2.2 and uses his username which is tied to a group wireless and coming in on a tunnel-group lets say internet, then the authentication is going to fail, because of the group-lock feature and the policy is tied to a specific tunnel-group.

Also, if the filter is applied to the group-policy then only access to that network is permitted.

Hope this explains.

Thanks

Gilbert

Please rate this post!!

Gilbert,

you are very kind and maybe I'n not that clear.

The point is they doesn't need to come in on a different group in order to get access from the internet, by default when you create a tunnel group on the asa this group is active on all interfaces configured with a crypto map, so users need simply to change the ip on their wireless lan profile to that of the public interface of the asa in order to connect from the internet, I've tried by myself.

What I'm looking for is a way to change this behaviour, in other words to bind a tunnel group to an interface or a crypto map.

Do I miss something?

Bye,

Max.

Max -

Alright - How about you modify the profile so that they cant change the IP address on the client side. Just "!" infront of the IP address on the profile of a VPN client (on the PCF file) would make them not to change the profile.

Will that work?

Cheers,

Gilbert

I'll give it a try.

Tnx,

Max.