Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
792
Views
0
Helpful
1
Replies

ASA SSL Connection Profiles for restricting access

Go to solution
gp1200x
Level 2
Level 2

‎05-27-2017 07:46 AM

We have a couple of ASAs in place and allow select users full SSL access with split tunneling. Most of our users are forced to use a Citrix Gateway access. We have a lot of vendors that occassionally need access to selective internal IPs and they are currently using the old IPSEC Cisco client and we will migrate them to the newer Anyconnect 3.x clients. 

We want to restrict what they can access with the newer SSL Anyconnect access. We have an ACS 4.3 but are also migrating this to a newer 5.8 one in the next month or so when I get time.

We use certs and Windows A/D to authenticate our users and we created the CA and give out the machine certs to our users. We only have two connection profiles currently in use (one for split  and one for internal access only).

Our ACS for our ssl users simply validates the user name and it doesn't seem to be able to correlate to specific connection profile in any way.

So my question is...what is the best method to allow these 20-30 Vendors inside access and restrict what they can get to?   

Should I create an connection profile for each vendor which I can enforce by placing their vendor name in a cert field and checking that they are connecting to the proper profile and the applying an ACL to the IPs that I give to them?  Or create one connection profile and specify the IP for each user and have a large ACL for that entire connection profile?  Or is there a better way?

If I created 20 or 30 connection profiles (one for each vendor) is that too many profiles for the ASA 5520 or 5510 to really handle easily?  Each vendor will call us before accessing since we will probably disable their ACS user accounts. 

Anyconnect 3.1.14018   and ASA  9.1(7)16

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎05-27-2017 03:21 PM

What I have done in the past for such situations is create a single Connection profile with the URL "https://<asa-fqdn>/vendor" and have all of them login on the same page. Based on the vendor, they can be applied different group-policies, each of which can have its own IP address pool and filters. You can have 20 different tunnel-groups on the ASA5510, but it becomes easier if you have all of them come in through a single url and have dynamic mapped group-policies using Radius Attributes set on the ACS server. 

You can also have additional attributes for each vendor such as time of access etc which can be set on the ASA group-policy.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎05-27-2017 03:21 PM

What I have done in the past for such situations is create a single Connection profile with the URL "https://<asa-fqdn>/vendor" and have all of them login on the same page. Based on the vendor, they can be applied different group-policies, each of which can have its own IP address pool and filters. You can have 20 different tunnel-groups on the ASA5510, but it becomes easier if you have all of them come in through a single url and have dynamic mapped group-policies using Radius Attributes set on the ACS server. 

You can also have additional attributes for each vendor such as time of access etc which can be set on the ASA group-policy.

0 Helpful
Customers Also Viewed These Support Documents