04-06-2018 09:33 AM - edited 03-12-2019 05:10 AM
Currently have an ASA environment where AnyConnect users come in and are on a defined network. Have a security project where I need to bring in a separate group of users, and segment them off to a separate network for PCI reasons. Would like recommendations on approach, whether it makes sense to trunk the internal side of the ASA to allow for multiple networks, or whether setting up another inside interface is a better plan, inside of the new network and let routing happen by design in the ASA.
If anyone knows of any best practice or has any examples of how they did this, would like to understand them. Also need to prevent cross-talk between client networks.
Solved! Go to Solution.
04-09-2018 09:00 AM
I can think of 2 ways:
1) Add a VPN filter based on user credentials (or AD group membership) that restricts access for VPN users to certain networks, hosts or ports. All the users can connect on the same group, receive ip addresses from the same client ip pool. This is useful if you want to get granular with user/group based assignment. Does not matter how your internal network it setup since ASA restricts access based on L3/L4 information.
2) Assign a VLAN to the group-policy based on user/group info. This makes more sense when you have a trunk going up to the ASA and separate networks on a VLAN basis. This works well when you want users/group etc to have access to the entire vlan, not as granular as the method above.
04-09-2018 09:00 AM
I can think of 2 ways:
1) Add a VPN filter based on user credentials (or AD group membership) that restricts access for VPN users to certain networks, hosts or ports. All the users can connect on the same group, receive ip addresses from the same client ip pool. This is useful if you want to get granular with user/group based assignment. Does not matter how your internal network it setup since ASA restricts access based on L3/L4 information.
2) Assign a VLAN to the group-policy based on user/group info. This makes more sense when you have a trunk going up to the ASA and separate networks on a VLAN basis. This works well when you want users/group etc to have access to the entire vlan, not as granular as the method above.
04-16-2018 05:07 AM
Thank you for this, I thought I recalled that you could do this, I haven't been on an ASA for a few years though and wanted to be sure this was still possible.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide