10-05-2011 10:22 PM - edited 02-21-2020 05:38 PM
I'm fairly new to the ASA world, but am pretty clued up when it comes to IOS based SSL VPN setup, so have run into an issue which I can't seem to find an answer for.
What i'm after is a way to restrict access to an AnyConnect authenticated and connected client, on a specific profile, to a list of specific websites (all on the Intranet). Everything else must be blocked.
On the IOS device, I had it fudged to pretty much retstrict access to a certain IP and port, and used a mod rewrite in Apache to re-write a URL from that IP to the host the site actually resided on. It's cludged together and working, but it's not ideal (and it's not going to allow for scaling up to what I need).
I can find plenty of references here and on the net to using regex to create block lists based on a global policy to disallow specific URLS, but I need the inverse of that, and, only applied to a specific policy group.
Is this possible on an ASA5505? Is it possible on *any* ASA?
Any help appreciated.
- Drew
10-06-2011 07:33 PM
Is this clientless (webvpn) deployment or it is full tunnel AnyConnect deployment?
With clientless, you can configure bookmark to only allow those few intranet URLs that you would like the group to have access to, then you can disable users from being able to connect directly by disabling the URL text box.
With full client, you can configure vpn-filter to only allow access to those few intranet URLs.
10-06-2011 07:51 PM
As mentioned, it's the AnyConnect client (in the title).
"What i'm after is a way to restrict access to an AnyConnect authenticated and connected client, on a specific profile, to a list of specific websites (all on the Intranet). Everything else must be blocked."
Do you have a sample configuration that could possibly assist me? I'm new to the ASA world, and haven't touched a PIX in well over 6 years unfortunately.
Any samples would be awesome:)
10-06-2011 08:12 PM
Here is the sample configuration with vpn-filter:
Hope this helps.
10-06-2011 08:31 PM
Thanks Jennifer that's pretty much what I have now on my IOS SSL VPN gateway.
I should have been more specific, I actually need to lock it to very specific URL's on devices to avoid people simply dropping off the last few directories of the site, and accessing data they should not be able to see.
I'm trying to work around an existing setup that is not going to be changing anytime soon unfortunately. Is there a way to do these kinds of filters on a per group-policy setup, using regex?
10-06-2011 08:47 PM
Unfortunately not for AnyConnect client.
The webtype ACL is only supported on Clientless SSL:
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/a1.html#wp1599455
10-06-2011 08:50 PM
Is there a way to do URL matching on regex in conjunction with the vpn-filter command?
Just seems a little backward that by enabling more functionality, it's making it harder to lock down (not your fault I know )
10-06-2011 08:54 PM
Yes, you can configure that with service-policy.
Here is the sample for your reference:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
The example is configured with permit tcp any any on port 80 and 443, so you might want to restrict that to your AnyConnect traffic flow: tcp
and apply the service policy on the outside interface.
10-06-2011 09:05 PM
Thanks again, but that won't work either.
I need to find a way of having it so it's only on one policy-group, and not for every VPN user.
I have 3 policy groups, two for external parties to access very specific URL's (both different lists) and a third for staff (no filters required). Applying a service policy to an entire interface will not work as it will restrict every VPN user to the same conditions.
In addition, that example is to *block* websites. The 2 policy groups that need restricting have a defined set of URL's that they are *only* allowed to access, and everything else must be blocked.
I need to restrict several policy groups to very specific sets of URL's, on the same ASA, and deny all other sites (allowing only DNS queries, which is easy to do).
I was under the belief that it was quite easy to do on an ASA (hence my reason for getting one in place of the IOS based VPN end-point) but it's appearing as though it's not a possibility.
10-06-2011 09:28 PM
How about configuring different pool of addresses for those 2 different policy. Once the vpn pool is different between guest and staff, then you can restrict them accordingly per the unique vpn pool.
The VPN filter will already restrict it to a specific IP Address. The service policy will further restrict it to the URL level. You can create a "match not" regex to allow the configured regex through:
http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/m.html#wp2118309
Getting more complicated now
10-06-2011 09:36 PM
Thanks for that. Yes, what seems to be a simple request is becoming stupidly complicated:)
I've just broken up the two 'special' groups to have their own ip pools, so i'll get to work on the vpn acl's and regex's. Time to brush up on my carets and dots
10-06-2011 09:40 PM
LOL, have fun ...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide