cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

613
Views
5
Helpful
9
Replies
Highlighted
Beginner

Set access users role for Remote VPN on ASA5510

Dear All 

I have ASA5510 Software Version 7.2, I configure Remote VPN for 2 users. I need to know how to set a role to allow each user to access one IP in my network? 

 

Example: 

User ABC should only access the IP 192.168.1.10 when he connects to my local network 

User DEF should only access the IP 172.168.1.11 when he connects to my local network 

 

The current configuration is allowing the users to access all IPs in my network when they got connected 

 

Any suggestion ? 

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advisor

Re: Set access users role for Remote VPN on ASA5510

More elaborate solution will require for ASA upgrade for sure.

But, I think you can keep this simple.

You can create two VPN pools with One IP each:

ip local pool group1 X.X.X.1
ip local pool group2 X.X.X.2

 

Then, you can create two group policy and attach it to a tunnel group, one for each User.

 

group-policy User1 internal

group-policy User1 nsales attributes

 

group-policy User2 internal

group-policy User2 attributes

 

 

This way you can have "static" IP address.

Dont worry about ISP dynamic IP address, this will not play a role on it.

 

-If I helped you somehow, please, rate it as useful.-

 

9 REPLIES 9
VIP Advisor

Re: Set access users role for Remote VPN on ASA5510

Hello @TeleCare

 

 You just need to configure an ACL on the VPN filter. Can you share the Firewall config here?

 

-If I helped you somehow, please, rate it as useful.-

Beginner

Re: Set access users role for Remote VPN on ASA5510

Hello @Flavio Miranda

 

Thank you for your feedback 

 

Please find the configuration 

 


!
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.2.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid

pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging trap debugging
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu DMZ 1500
ip local pool VPNPOOL 192.168.150.1-192.168.150.10 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
nat (inside) 0 access-list nonat


access-group outside-in in interface outside
route outside 0.0.0.0 0.0.0.0 192.168.2.1 1
route inside 172.16.90.0 255.255.255.0 192.168.1.2 1

timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map dynmap 64553 set transform-set ESP-3DES-SHA
crypto map outside_map 64553 ipsec-isakmp dynamic dynmap
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
console timeout 0
group-policy remotevpn internal
group-policy remotevpn attributes
dns-server value 172.16.90.2
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SplitTunnelACL
split-dns value AMD.local
username ABC password tCYMW encrypted privilege 15
username DEF password jkvPguw7T encrypted privilege 15

tunnel-group remotevpn type ipsec-ra
tunnel-group remotevpn general-attributes
address-pool VPNPOOL
default-group-policy remotevpn
tunnel-group remotevpn ipsec-attributes
pre-shared-key *
!
class-map inspection_default
match default-inspection-traffic
class-map conns
!
!
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:ae8058a745b9e5
: end
TeleCareFW#

VIP Advisor

Re: Set access users role for Remote VPN on ASA5510

First off, you need to see if sysopt is enable:

show run sysopt

If you see "no sysopt connection permit-vpn" then sysopt is disabled and this means that all traffic on the VPN is permited. In your case, probably it is disabled.

ideally, this option should be enabled, so that, all traffic on the VPN is denied and then you permit what you want. Otherwise, you need to deny everything and permit what you want.

 Take care with this command to do not cause outage on your VPN access.

 

After you define which rule to follow, Deny everything or permit everything then you can create the filters.

 

Please, define IPs accordingly.

First, create an Access List allowing the required traffic.

access-list VPN-FILTER permit ip X.X.X.X  255.255.255.0 X.X.X.X  255.255.255.0

 

Add the Access List to the group-policy
group-policy remotevpn  internal
group-policy remotevpn attributes
vpn-filter value VPN-FILTER

Beginner

Re: Set access users role for Remote VPN on ASA5510

Hi @Flavio Miranda

Thank you for your support 

 

 Access list is filtering the traffic based on IPs, in my situation, I need the Username to be filter criteria.

 because usually IP always changed from the user end,  I can not set role based on IP 

I need to tell my ASA " If the Username ABC get connected only allow him to access this IP" 

 

Please correct me i am wrong and advice me 

 

VIP Advisor

Re: Set access users role for Remote VPN on ASA5510

For simplicity and considering that it is only two users, I´d go with static IP address on the end users.

What do you think?

 

 

-If I helped you somehow, please, rate it as useful.-

Beginner

Re: Set access users role for Remote VPN on ASA5510

The end users are using dynamic IP, as you know the ISP internet for home use dynamic IPs, so the IP always keep changing, besides that the users are accessing from a different location from different places, so I  can not use static IP for them. 

 

Any recommendation? 

Does it require to upgrade my ASA? 

 

VIP Advisor

Re: Set access users role for Remote VPN on ASA5510

More elaborate solution will require for ASA upgrade for sure.

But, I think you can keep this simple.

You can create two VPN pools with One IP each:

ip local pool group1 X.X.X.1
ip local pool group2 X.X.X.2

 

Then, you can create two group policy and attach it to a tunnel group, one for each User.

 

group-policy User1 internal

group-policy User1 nsales attributes

 

group-policy User2 internal

group-policy User2 attributes

 

 

This way you can have "static" IP address.

Dont worry about ISP dynamic IP address, this will not play a role on it.

 

-If I helped you somehow, please, rate it as useful.-

 

Beginner

Re: Set access users role for Remote VPN on ASA5510

Thank you for your support 

 

 

I think your solution will work, I will try it out

 

 

VIP Mentor

Re: Set access users role for Remote VPN on ASA5510

There is another option. You could put all your internal resources directly on the Internet without the ASA. With that you don‘t need a VPN to access them. The security will only be slightly degraded given that your firewall hasn‘t seen security-fixes for a decade or even longer ...