cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Community Designated VIP Class of 2020

612
Views
5
Helpful
3
Replies
Beginner

Cisco ASA 5510 - VPN (AnyConnect) restrictions based on AD user or IP address

Hello,

I want to to test how to restrict AnyConnect User on an ASA 5510. In the policy I can define which networks will go through the VPN tunnel and which not (split-tunneling). The ASA has a LDAP connection and only AD users with a special security-group can connect via AnyConnect.
But furthermore I would like to restrict the access for special users within one VPN policy.

So my question:
What are your recommendations to implement this szenario?

My two ideas would be:
1. Access rules based on the AD user. 
2. Reserve special IP addresses in the AnyConnect address pool for some user so I can restrict the access in the normal firewall ruleset based on the source IP.

What are your recommendations and is it possible to realize my ideas (and how)?



Thanks in advance


Best regards

2 ACCEPTED SOLUTIONS

Accepted Solutions
Beginner

Hello,

Hello,

I will suggest that you configure a second AD group in the server and another group policy in the ASA you can configure certain access on each group policy "setup filters, assign different split tunnel policy, different ACL" and in the AD server you can assign the users for example to AD group A and AD group B based on the access that you want to give them now you need to configure LDAP mapping to assign the user the particular group policy that you want based on the AD group that they are part of.

You can follow this documentation that will help you configure the LDAP mapping:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Regards, please rate.

View solution in original post

Highlighted
Hall of Fame Master

I believe that there are two

I believe that there are two approaches that could be used to satisfy this requirement. The approach that has been available longer is to use LDAP mapping to base authentication on user attributes learned via LDAP as suggested in the previous post. The newer alternative is to use Dynamic Access Policy. DAP overcomes some issues that arise in using LDAP mapping such as restrictions of using memberof where the user is a member of more than one group. Also DAP allows you to configure access lists within the Dynamic Policy that can tailor user access to network resources.

HTH

Rick

If you found this post helpful, please let the community know by clicking the helpful button!
By doing so, and until end of January, you are helping Doctors Without Borders

View solution in original post

3 REPLIES 3
Beginner

Hi

Hi

Please got through the following links :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

I think what you can do is , with the help of above mentioned documents you can assign a particular group-policy to the Users connecting from AD database having a particular Group in AD. You can define the vpn-pool of the intended ip address range in that group-policy.

Regards

Jagmeet Singh

Beginner

Hello,

Hello,

I will suggest that you configure a second AD group in the server and another group policy in the ASA you can configure certain access on each group policy "setup filters, assign different split tunnel policy, different ACL" and in the AD server you can assign the users for example to AD group A and AD group B based on the access that you want to give them now you need to configure LDAP mapping to assign the user the particular group policy that you want based on the AD group that they are part of.

You can follow this documentation that will help you configure the LDAP mapping:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Regards, please rate.

View solution in original post

Highlighted
Hall of Fame Master

I believe that there are two

I believe that there are two approaches that could be used to satisfy this requirement. The approach that has been available longer is to use LDAP mapping to base authentication on user attributes learned via LDAP as suggested in the previous post. The newer alternative is to use Dynamic Access Policy. DAP overcomes some issues that arise in using LDAP mapping such as restrictions of using memberof where the user is a member of more than one group. Also DAP allows you to configure access lists within the Dynamic Policy that can tailor user access to network resources.

HTH

Rick

If you found this post helpful, please let the community know by clicking the helpful button!
By doing so, and until end of January, you are helping Doctors Without Borders

View solution in original post

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here