Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
659
Views
0
Helpful
7
Replies

Too many dynamic access polices

smart5
Level 1
Level 1

‎03-15-2010 02:56 AM

Hi All,

Need you guys advise on this. I have multiple ASA firewalls in Asia region to provide SSL-VPN (Clientless-VPN) access to corporate network. Example, Hong Kong and Singapore.When users in Singapore travelled to HongKong, they cant use the SSL-Url hosted there because even though the login is successful, the DAP of bookmarks are not configured in HK firewalls. So these users have no choice but to SSL-VPN back to Singapore firewalls, but this is ineffiecient and slow.

My question will be as follow:

1) can i export the DAP on Singapore firewalls and Import to Hong kong firewalls? Vice-versa

2) can i export the bookmarks on Singapore firewalls and Import to Hong kong firewalls? Vice-versa

3) due to number of users, i have too many DAP configure on each firewalls to match their cisco-userid to respective bookmark. Can i use something like variable? so that 1 DAP will be sufficient. I need the DAP to be able to capture the username keyed in by user and matched that against a bookmark configured with same username

Like.

cisco.username =%uname

bookmarks=%uname

Any help will be much appreciated.Thanks

Labels:
0 Helpful
7 Replies 7

ksirupa
Level 3
Level 3

‎03-15-2010 11:47 AM

Hi,

We don't have an easy method to display a bookmark list based on username.

However, you can create one master bookmark list which has many different individual bookmarks each including a variable "CSCO_WEBVPN_USERNAME".

Example:

http://myserver.com/CSCO_WEBVPN_USERNAME/home/root

cifs://myftpserver.com/root/users/CSCO_WEBVPN_USERNAME/marketing etc..

When you do this, the ASA will replace the macro CSCO_WEBVPN_USERNAME with session username.

So, if user "john" logs in, they will see two bookmarks: http://myserver.com/john/home/root, cifs://myftpserver.com/root/users/john/marketing

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1002989

One other alternative is to use LDAP attribute maps instead of DAP. If you have an LDAP Database or Active Directory that has all the usernames, you can use the

LDAP attribute map feature which maps a particular LDAP attribute (say cn or username) to the Cisco Attribute WebVPN-URL-List.

See an example below:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

One caveat is that URL-List setting in DAP and LDAP attribute map are mutually exclusive. So, you shouldn't apply URL-List in DAP anymore.

Thanks,

Kiran

0 Helpful

smart5
Level 1
Level 1
In response to ksirupa

‎03-15-2010 06:55 PM

for the bookmarks, i think i cant make it simpler as well OR use the method you suggest. Because individual VPN user has a unique bookmark that allows RDP to their personal desktop machine.

What about my questions of exporting DAP and Bookmarks to import to another firewalls?

0 Helpful

ksirupa
Level 3
Level 3
In response to smart5

‎03-15-2010 07:08 PM

My apologies, ASDM has an option to backup/restore the configurations. You can find it under "Tools". When you back-up, you only select DAP and CSD policies. Everything else should be un-checked. Then, you can save it as zip file and restore it on the other ASA. If you need automatic sync-up and push of DAP, we will need to use CSM for that.

0 Helpful

smart5
Level 1
Level 1
In response to ksirupa

‎03-15-2010 07:18 PM

Hi,

thanks for that. Last question, when you mean Back up from firewall A of those DAP and CSD policies and restore it on firewall B. Can i do it during production hours and not impact on operations? So if there's a case where firewall A has a DAP policy of XX and firewall b has a policy of YY. If i backup A config and restore on B, will YY be overwritten or it will merge? end result with XX and YY

Pardon me, can you provide me the full term of these?

DAP: dynamic access polices

CSD: cisco secure desktop?

CSM: ??

0 Helpful

ksirupa
Level 3
Level 3
In response to ksirupa

‎03-15-2010 07:26 PM

If the DAP records have two different names, then the restore on Firewall-B will add to the existing DAPs (so XX and YY). If they are same, I am not very sure whether it will overwrite or merge. I will have to test.

CSM - Cisco Security Manager - Helps you configure multiple security devices (Firewall, router, switch, IDS, IPS, MARS etc) from one unified policy interface. Also supports checkpoint and rollover, multi-device config replication and push etc.

http://www.cisco.com/en/US/products/ps6498/index.html

DAP - Dynamic Access Policy

CSD - Cisco Secure Desktop.

0 Helpful

smart5
Level 1
Level 1
In response to ksirupa

‎03-15-2010 07:33 PM

Thanks for the clarification on these terms.

I notice that my firewall A is using CSD but firewall B is not.

will the restoring of config from A with CSD on B cause any conflict?

Correction:

I see that i can choose not to backup CSD config.. Just DAP alone.

but may i ask, Bookmarks fall into which category?

0 Helpful

ksirupa
Level 3
Level 3
In response to smart5

‎03-18-2010 01:23 AM

Bookmarks are known as "URL-Lists". They may show up under "webcontents" as well depending on the ASDM version.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents