Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
622
Views
5
Helpful
2
Replies

ASA - AnyConnect - Separate Networks Based on User Profile

Go to solution
KMontgomery1
Level 1
Level 1

‎04-06-2018 09:33 AM - edited ‎03-12-2019 05:10 AM

Currently have an ASA environment where AnyConnect users come in and are on a defined network.  Have a security project where I need to bring in a separate group of users, and segment them off to a separate network for PCI reasons.  Would like recommendations on approach, whether it makes sense to trunk the internal side of the ASA to allow for multiple networks, or whether setting up another inside interface is a better plan, inside of the new network and let routing happen by design in the ASA. 

If anyone knows of any best practice or has any examples of how they did this, would like to understand them.  Also need to prevent cross-talk between client networks. 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎04-09-2018 09:00 AM

I can think of 2 ways:

 

1) Add a VPN filter based on user credentials (or AD group membership) that restricts access for VPN users to certain networks, hosts or ports. All the users can connect on the same group, receive ip addresses from the same client ip pool. This is useful if you want to get granular with user/group based assignment. Does not matter how your internal network it setup since ASA restricts access based on L3/L4 information.

 

2) Assign a VLAN to the group-policy based on user/group info. This makes more sense when you have a trunk going up to the ASA and separate networks on a VLAN basis. This works well when you want users/group etc to have access to the entire vlan, not as granular as the method above. 

View solution in original post

2 Replies 2

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎04-09-2018 09:00 AM

I can think of 2 ways:

 

1) Add a VPN filter based on user credentials (or AD group membership) that restricts access for VPN users to certain networks, hosts or ports. All the users can connect on the same group, receive ip addresses from the same client ip pool. This is useful if you want to get granular with user/group based assignment. Does not matter how your internal network it setup since ASA restricts access based on L3/L4 information.

 

2) Assign a VLAN to the group-policy based on user/group info. This makes more sense when you have a trunk going up to the ASA and separate networks on a VLAN basis. This works well when you want users/group etc to have access to the entire vlan, not as granular as the method above. 

Go to solution
KMontgomery1
Level 1
Level 1
In response to Rahul Govindan

‎04-16-2018 05:07 AM

Thank you for this, I thought I recalled that you could do this, I haven't been on an ASA for a few years though and wanted to be sure this was still possible. 

0 Helpful
Customers Also Viewed These Support Documents