cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
419
Views
5
Helpful
2
Replies
KMontgomery1
Beginner

ASA - AnyConnect - Separate Networks Based on User Profile

Currently have an ASA environment where AnyConnect users come in and are on a defined network.  Have a security project where I need to bring in a separate group of users, and segment them off to a separate network for PCI reasons.  Would like recommendations on approach, whether it makes sense to trunk the internal side of the ASA to allow for multiple networks, or whether setting up another inside interface is a better plan, inside of the new network and let routing happen by design in the ASA. 

If anyone knows of any best practice or has any examples of how they did this, would like to understand them.  Also need to prevent cross-talk between client networks. 

1 ACCEPTED SOLUTION

Accepted Solutions
Rahul Govindan
Advocate

I can think of 2 ways:

 

1) Add a VPN filter based on user credentials (or AD group membership) that restricts access for VPN users to certain networks, hosts or ports. All the users can connect on the same group, receive ip addresses from the same client ip pool. This is useful if you want to get granular with user/group based assignment. Does not matter how your internal network it setup since ASA restricts access based on L3/L4 information.

 

2) Assign a VLAN to the group-policy based on user/group info. This makes more sense when you have a trunk going up to the ASA and separate networks on a VLAN basis. This works well when you want users/group etc to have access to the entire vlan, not as granular as the method above. 

View solution in original post

2 REPLIES 2
Rahul Govindan
Advocate

I can think of 2 ways:

 

1) Add a VPN filter based on user credentials (or AD group membership) that restricts access for VPN users to certain networks, hosts or ports. All the users can connect on the same group, receive ip addresses from the same client ip pool. This is useful if you want to get granular with user/group based assignment. Does not matter how your internal network it setup since ASA restricts access based on L3/L4 information.

 

2) Assign a VLAN to the group-policy based on user/group info. This makes more sense when you have a trunk going up to the ASA and separate networks on a VLAN basis. This works well when you want users/group etc to have access to the entire vlan, not as granular as the method above. 

View solution in original post

Thank you for this, I thought I recalled that you could do this, I haven't been on an ASA for a few years though and wanted to be sure this was still possible. 

Content for Community-Ad