Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2670
Views
5
Helpful
6
Replies

ASA 5506-X - assign VPN users to VLANs

apem-csco
Level 1
Level 1

‎10-25-2015 06:08 PM

On ASA 5506-X, how do we assign each VPN user to a separate VLAN ? Let me explain what we are planning to do a bit more. The connectivity will be ISP <-> Modem <-> ASA 5506-X <-> ESXi VMs A Dell server running ESXi will host several VMs - say VM-1, VM-2, .. , VM-5 Remote users will VPN into ASA - say User-1, User2, .., User-5 User-1 should only have RDP access to VM-1 and nothing else, User-2 to VM-2 and so on I am thinking of putting each VM into a dedicated VLAN by creating a VLAN port groups in ESXi On ASA, there will be sub interfaces for each VLAN Assigning each VPN user to a specific VLAN will achieve this goal by isolating them I believe but I am open to other suggestions. The reason to select 5506-X is due to it's UTM features.
Labels:
0 Helpful
6 Replies 6

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-25-2015 08:04 PM

Remote access VPN users are assigned addresses (mapping to internal VLANs) according to the tunnel-group or connection profile that they connect on.

You could make multiple connection profiles and lock each user to a specific one.

0 Helpful

apem-csco
Level 1
Level 1
In response to Marvin Rhoads

‎10-25-2015 08:39 PM

Thanks for the reply Marvin and I'm glad to hear that it is possible.

I cannot try this out for now as we haven't bought this unit yet.

This will certainly help with the decision making.

 

I do however got a ASA 5505 which I am going to test the method you have suggested.

I believe both 5505 and 5506-X are somewhat similar (except that 5506-X got routed ports with UTM capabilities)

0 Helpful

Marius Gunnerud
VIP
VIP
In response to apem-csco

‎10-26-2015 09:45 AM

I would suggest going another direction with this.  Instead of having several connection profiles, I suggest having one connection profile that everyone connects to and then create several group-policy and lock the users to their specific group-policy.  You can also assign a VLAN in the group policy that the  VPN client will be assigned to aswell as VPN-filters to restrict other access, etc.

MYASA(config-group-policy)# ?

group_policy configuration commands:

vlan

vpn-filter

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Marius Gunnerud

‎10-26-2015 10:02 AM

Hi Marius,

I agree - your method is probably a better one. It's less confusion as the end users do not have to choose anything special.

0 Helpful

apem-csco
Level 1
Level 1
In response to Marvin Rhoads

‎10-26-2015 03:38 PM

Thanks Marius.

Great stuff - thanks both for helping out.

I will get back after trying this on a 5505 - which may actually take a while.

0 Helpful

Sagarphadatare44
Level 1
Level 1
In response to Marvin Rhoads

‎10-08-2018 07:51 AM

Greeting,

I need expertise in similar VLAN related configuration for anyconnect on FTD.

In our setup, IP assignment to RAS users is done by Radius server. Radius server also assign different VLAN IDs to different region users. I want to understand how I need to configure those VLANs on FTD? Do I need to configure subinterfaces and assign vlans to them?

All users will be using same applications, so how should I configure routing on FTD so specific subinterface will be preferred?

 

Thanks for your help in advance.

 

---

Regards,

Sagar Phadatare. 

0 Helpful
Customers Also Viewed These Support Documents