ASA SSLVPN configuration

reachabdulla · ‎10-04-2006

Hi.

My client requires SSL VPN to be configured at their site. I had followed the 'SSL VPN Client (SVC) on ASA Using ASDM Configuration Example' from the cisco website. The client has some more requests based on their setup. They require authentication through their ACS server. This was implemented and worked well. Now they have a new requirement. They would like to grant SSLVPN to all their users, but apply ACL filters based on groups. For example, 'accounting' people should be assigned specific IP based on their username. 'Sales' people should be assigned specific IP based on their username. On the ASA we would put ACL to restrict accounting people from accessing sales and vice versa.

I need to create groups (accounting and sales) on my ACS, and have IP address assignment based on the username. Also, I need to know what further configurations I need to perform on the ASA.

Please guide me to perform such a process. Please help in this case.

Also, please advice if there is any other better method or technique to meet the clients requirement.

My device information is as follows:

ASA 5510. ASDM 7.1(2)

ACS 3.3

Regards.

Mohammed Abdulla.

aghaznavi · ‎10-10-2006

Try these links:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008072aa6c.shtml

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_1/conf_gd/vpngrp.htm#wp1093578

zhenningx · ‎10-10-2006

It can be done by following:

1. Configure the ASA to assign client IP address using authentication server:

vpn-addr-assign aaa

2. Configure AAA Client Pools on ACS server, and configure the group to assign IP from the "AAA Client Pool":

Group -> IP Assignment -> Assigned from AAA Client pool

On prior ACS 4.0 version, there is a bug that ACS will assign duplicate IP to the clients and it supposed to be fixed by ACS ver 4.1.

Zhenning