Re: Allow AnyConnect user just to 2 servers?

Gonzo1 · ‎02-18-2018

Hello,

We use the AnyConnect VPN for our Corperate users which have access to most servers on various ports on a /24 subnet. I have been asked to allow an external company to 2 of our internal servers on file share ports (usual TCP/UDP 135-139, TCP 445). How can I achieve this without have to create a new subnet, do all the routing and create the new VPN profile, is there an easier way where I can use our existing AnyConnect profile and lock down a single IP for this user as they only need 1 user to connect?

Thanks

Mohammed al Baqari · ‎02-18-2018

If your anyocnnect use AD authentication then its easy. Use AD attributes
such as company name to select specific group
-policy/tunnelgroup. This group-policy should have split tunnel ACL to
allow access to these servers only from any IP in the local pool. You can
have a vpn-filter ACL as well under the group-policy

In this case, no matter what IP they get then won't connect to anything
outside the split ACL and vpn-filter. You can also use group-lock to make
sure that their accounts can connect to this group-policy only and nothing
else from the dropdown (in case you have group select enabled).

Gonzo1 · ‎02-18-2018

Hi,

Yes we use AD authentication. All VPN users currently use 1 AD group to get access. We use an AD Radius server (NPS - Network Policy Server).

For example would I need to create a new AD group and put this user into it, then Add a new policy to the NPS server to allow access?

I then use this new AD group for the group-policy? This group-policy would then have split tunnel ACL to allow access to these 2 servers only?

Mohammed al Baqari · ‎02-18-2018

That is another way of doing it which will work as well. Then you can
download your crypto ACLs using radius attributes. What I was referring to
is to use same AD group but different AD attribute (such as company or
position).