cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
862
Views
0
Helpful
9
Replies

How does one restrict certian VPN users to only acces certian internal IPs?

clmcosysadmin
Level 1
Level 1

I'm still realatively new to CISCO and have searched the question archives for similiar answers. Then again perhaps I'm not using the right search criteria.

I have a ASA5510 and so far primarily use the ASDM as I'm still very much a novice yet at using the CLI.

I've set up remote VPN access for external users and it's working good ...

What I'd still like to do is have ...

Some (sysadmin) remote users be able to access to all the IPs on the internal network while most of the users (departmental managers) only need access to about 10 IPs.

Is there a "cookbook" method to go about accomplishing this?

Thanks,

Roy

9 Replies 9

attrgautam
Level 5
Level 5

What you could do is create 2 different groups and sysadmin can login to the first group and access all the content. The users in the 2nd group can access the restricted resources which you can implement using split-tunneling on the ASA.

This is the only method i can think of for now.

Thanks for the suggestion!

I try that approach.

If you use radius as an xauth for your remote vpn users, you can configure your radius server to send an ACL name to the PIX, which can be applied as additional filtering.

As an example, I have a few different VPN groups setup to define general access restrictions (users/admins/etc), as well as downloadable ACL's which get applied to each remote users VPN connection to further restrict areas based on the particular user (or group).

On my radius server (FreeRADIUS), this is configured with the variable Filter-Id, which references the name of an ACL on the PIX to apply to the remote user.

This document may be useful if you end up adding this extra level of filtering:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd703.html

Cheers,

-Joshua

Joshua,

How did you go about configuring your freeradius server? Are you using linux version? I am trying to setup a 802.1x auth with freeradius on 2950 switch. Any help in configuring freeradius would be greatly appreciated.

Hi Stephen,

Yes, I'm using the Linux version. It was a straight forward configuration. The only change was that I had to configure it to use the old radius and radaccounting ports (1645/1646 respectively) by editing the /etc/raddb/radiusd.conf file (search for "port =").

The port to use depends on which RFC Cisco is following for that device. The newer RFC's define the port as 1812, and I believe FreeRadius defaults to this port as well. If you're unsure, start up tcpdump and watch for the requests.

After you have your ports setup properly, it's just a matter of editing your /etc/raddb/clients.conf file to set it up properly with the right secret. Also, set your nastype to cisco.

Cheers,

-Joshua

Joshua,

I am not having any problems figuring that out it is figuring out how to setup the user credentials so that a user can authenticate the port.

Are you using the any kind of SQL for user accounts? What is your recommendation on user credentials?

Thanks,

Stephen

Hi Stephen,

No, I'm using local accounts on the server, but nothing to do with 802.1x.

Google shows quite a lot of hits concerning FreeRadius and 802.1x authentication. Two of the most likely candidates listed below:

http://www.tldp.org/HOWTO/html_single/8021X-HOWTO/

http://security.fi.infn.it/TRIP/802.1x-wired/802.1x-wired.html

-Joshua

grant.maynard
Level 4
Level 4

setup two vpn groups, one for sysadmin, one for users.

create two pools of addresses, assign one pool to each vpngroup.

On the ACL inbound to the outside interface, add lines to restrict VPN traffic, e.g.

acl in_outside permit ip [sysadmin pool] any

acl in_outside permit ip [user pool] [selected IPs]

Finally, force all VPN traffic through the in_outside ACL by putting "no sysopt connect permit-ipsec" in the config.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: