Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
572
Views
10
Helpful
3
Replies

Can Firepower have multiple IPv4 pools for Remote access VPN?

Go to solution
eeebbunee
Level 1
Level 1

‎05-17-2021 09:57 AM

Hello Engineers and Professionals,

 

I wonder Firepower can have multiple IPv4 pools for remote access VPN.

I have one IPv4 pool for remote users, but I need different users account for vendors.

 

For examples,

Company Users: 192.168.1.20-192.168.1.200 (Can access all internal servers.)

Vendors: 192.168.1.10 - 192.168.1.19 (Can access specific server.)

 

And, FTD can have two different way, one is website and the other is Anyconnect.

I would like to create Company users are using Anyconnect, Vendors for WebVPN, if it's feasible.

 

Do you have better idea for Firepower? 

ASA can have host account, on the contrary Firepower, It was easy to create account for vendor.

but, It is hard to create secured account for firepower.

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to eeebbunee

‎05-17-2021 11:47 AM - edited ‎05-17-2021 12:18 PM

@eeebbunee 

Tunnel group example below, this will be unique to the vendors, they would connect to the example url as defined using the group-url (obviously amend to fit your environment).

 

group-policy VENDORS internal
group-policy VENDORS attributes
 vpn-tunnel-protocol ssl-client
 address-pools value VENDORS_VPN_POOL
!
tunnel-group VENDORS type remote-access
tunnel-group VENDORS general-attributes
 authentication-server-group LDAP
 tunnel-group VENDORS webvpn-attributes
group-alias VENDORS enable 
 group-url https://asa-vpn1.company.com/vendors enable

 

FYI, Tunnel-group is actually the same as a Connection Profile. A tunnel-group is the name when configuring using the CLI and a Conneciton Profile if configuring using ASDM.

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎05-17-2021 10:03 AM

@eeebbunee 

Yes you can have multiple VPN IP Pools, these can be applied to users either dynamically via LDAP/RADIUS or statically configured on the tunnel-group/group-policy. The easiest thing in your scenario would be to create a dedicated tunnel-group, configure a new VPN pool and get the vendors to connect to this tunnel-group.

 

FTD does not support WebVPN, you can only use AnyConnect for Remote Access VPN.

 

 

Go to solution
eeebbunee
Level 1
Level 1
In response to Rob Ingram

‎05-17-2021 11:16 AM

I really appreciate your reply..!!

 

I would like to try right away, is there a document where I refer to configure tunnel-group?

 

Thank you.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to eeebbunee

‎05-17-2021 11:47 AM - edited ‎05-17-2021 12:18 PM

@eeebbunee 

Tunnel group example below, this will be unique to the vendors, they would connect to the example url as defined using the group-url (obviously amend to fit your environment).

 

group-policy VENDORS internal
group-policy VENDORS attributes
 vpn-tunnel-protocol ssl-client
 address-pools value VENDORS_VPN_POOL
!
tunnel-group VENDORS type remote-access
tunnel-group VENDORS general-attributes
 authentication-server-group LDAP
 tunnel-group VENDORS webvpn-attributes
group-alias VENDORS enable 
 group-url https://asa-vpn1.company.com/vendors enable

 

FYI, Tunnel-group is actually the same as a Connection Profile. A tunnel-group is the name when configuring using the CLI and a Conneciton Profile if configuring using ASDM.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents