Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2566
Views
0
Helpful
3
Replies

Cisco Anyconnect SSL VPN IP Pools

mkazam001
Level 3
Level 3

‎05-10-2017 11:39 AM

Hi,

Does anyone know if you can assign 2 different vpn pools when you set up the cisco anyconnect on the ASA.

So for example, the remote contractors connect using pool-1 (access to DMZ) & the home workers connect using pool-2 (access to LAN).

All the remote users have the anyconnect client installed & when they connect to the ASA external IP, how can you prevent the contractors from accessing the internal network.

Thank you for any help in advance.

 

Labels:
0 Helpful
3 Replies 3

Rahul Govindan
VIP Alumni
VIP Alumni

‎05-10-2017 12:10 PM

You can have different pools assigned to different group-policies. So if a contractor and home worker are assigned different group-policies based on their credentials, they can receives 2 different pools. An example to assign different group-policies is here:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

But you don't need to have different pools to provide differentiated access. You can use the same pool and assign different vpn-filters as per their access requirements. Again, filters can be assigned via group-policy.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6

0 Helpful

mkazam001
Level 3
Level 3
In response to Rahul Govindan

‎05-10-2017 01:23 PM

Thanks Rahul,

The second option seems simpler, but if I had a pool of 192.168.10.0/28 & both the contractors & home workers connect to the ASA, how would I control the different access they are allowed?

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to mkazam001

‎05-10-2017 03:32 PM

You would have to have them assigned different group policies. If you are using Radius or LDAP with AD backend, you can assign group-policy using RADIUS or LDAP attributes. Home workers will get a policy assigned to them that has no filter (hence full access). Contractors will get a policy that has a filter only allowing certain servers/networks. Filters can be created using ACL's. The comprehensive guide to do that is here:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6

If you are using the ASA local user database, you can directly assign the filter or group-policy to a user using the username attributes.

ASA(config)# username rahul attributes 
ASA(config-username)# vpn-filter value <filter-acl>
0 Helpful
Customers Also Viewed These Support Documents