05-10-2017 11:39 AM
Hi,
Does anyone know if you can assign 2 different vpn pools when you set up the cisco anyconnect on the ASA.
So for example, the remote contractors connect using pool-1 (access to DMZ) & the home workers connect using pool-2 (access to LAN).
All the remote users have the anyconnect client installed & when they connect to the ASA external IP, how can you prevent the contractors from accessing the internal network.
Thank you for any help in advance.
05-10-2017 12:10 PM
You can have different pools assigned to different group-policies. So if a contractor and home worker are assigned different group-policies based on their credentials, they can receives 2 different pools. An example to assign different group-policies is here:
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html
But you don't need to have different pools to provide differentiated access. You can use the same pool and assign different vpn-filters as per their access requirements. Again, filters can be assigned via group-policy.
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6
05-10-2017 01:23 PM
Thanks Rahul,
The second option seems simpler, but if I had a pool of 192.168.10.0/28 & both the contractors & home workers connect to the ASA, how would I control the different access they are allowed?
05-10-2017 03:32 PM
You would have to have them assigned different group policies. If you are using Radius or LDAP with AD backend, you can assign group-policy using RADIUS or LDAP attributes. Home workers will get a policy assigned to them that has no filter (hence full access). Contractors will get a policy that has a filter only allowing certain servers/networks. Filters can be created using ACL's. The comprehensive guide to do that is here:
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6
If you are using the ASA local user database, you can directly assign the filter or group-policy to a user using the username attributes.
ASA(config)# username rahul attributes
ASA(config-username)# vpn-filter value <filter-acl>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide