Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1196
Views
0
Helpful
2
Replies

contractors and employees access of internal web site using clientless ssl vpn.

Go to solution
Peter Tran
Level 1
Level 1

‎03-23-2016 07:40 AM - edited ‎02-21-2020 08:44 PM

We have a clientless SSL VPN web page setup that allow employees and contractors to login and view internal web page.  I was ask if possible to separate employees and contractors from accessing internal web page.  The internal web page does not have users authentication.  They would like to see if it's possible that employees traffic get proxy behind INSIDE interface IP of ASA, and contractor traffic get proxy behind different IP.  So, the internal web page can check for IP of contractor and only grant them access to view certain web page but not all pages.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Diego Lopez
Level 1
Level 1

‎03-23-2016 03:19 PM

Hello,

Creating a group policy for each user group will be a good option you can also use DAP to assign a web ACL to the user that is connecting to the clientless portal, you can use Cisco, LDAP or Radius attributes to associate the DAP to the user. For example if you are using LDAP you can create 2 separate groups there for employees and contractors and based on the LDAP group membership of the user they will be assigned with the specific web acl that you configured based on their access restrictions.

You can follow this link to configure a web acl:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/acl_webtype.html#wp1100532

Once the ACL is ready you can follow this guide to setup the DAP: "check figure10 for web acls"

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html#intro

Thanks, please rate!.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Dinesh Moudgil
Cisco Employee
Cisco Employee

‎03-23-2016 09:17 AM

The way clientless SSL VPN is ASA will always proxy the client request on the interface the where the destined resource is located.

If it suits you, you can have either employees or contractors go for anyconnect client based solution.
Else create different group-policy for the contractors and then create specific bookmarks for them which they are authorized to access and then disable the URL link so that they can't access anything other than that.
Check this section "Observing Clientless SSL VPN Security Precautions" in this document :

"http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/webvpn.html#wp999589"

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

Go to solution
Diego Lopez
Level 1
Level 1

‎03-23-2016 03:19 PM

Hello,

Creating a group policy for each user group will be a good option you can also use DAP to assign a web ACL to the user that is connecting to the clientless portal, you can use Cisco, LDAP or Radius attributes to associate the DAP to the user. For example if you are using LDAP you can create 2 separate groups there for employees and contractors and based on the LDAP group membership of the user they will be assigned with the specific web acl that you configured based on their access restrictions.

You can follow this link to configure a web acl:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/acl_webtype.html#wp1100532

Once the ACL is ready you can follow this guide to setup the DAP: "check figure10 for web acls"

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html#intro

Thanks, please rate!.

0 Helpful
Customers Also Viewed These Support Documents