05-17-2021 09:57 AM
Hello Engineers and Professionals,
I wonder Firepower can have multiple IPv4 pools for remote access VPN.
I have one IPv4 pool for remote users, but I need different users account for vendors.
For examples,
Company Users: 192.168.1.20-192.168.1.200 (Can access all internal servers.)
Vendors: 192.168.1.10 - 192.168.1.19 (Can access specific server.)
And, FTD can have two different way, one is website and the other is Anyconnect.
I would like to create Company users are using Anyconnect, Vendors for WebVPN, if it's feasible.
Do you have better idea for Firepower?
ASA can have host account, on the contrary Firepower, It was easy to create account for vendor.
but, It is hard to create secured account for firepower.
Solved! Go to Solution.
05-17-2021 11:47 AM - edited 05-17-2021 12:18 PM
Tunnel group example below, this will be unique to the vendors, they would connect to the example url as defined using the group-url (obviously amend to fit your environment).
group-policy VENDORS internal
group-policy VENDORS attributes
vpn-tunnel-protocol ssl-client
address-pools value VENDORS_VPN_POOL
!
tunnel-group VENDORS type remote-access
tunnel-group VENDORS general-attributes
authentication-server-group LDAP
tunnel-group VENDORS webvpn-attributes
group-alias VENDORS enable
group-url https://asa-vpn1.company.com/vendors enable
FYI, Tunnel-group is actually the same as a Connection Profile. A tunnel-group is the name when configuring using the CLI and a Conneciton Profile if configuring using ASDM.
05-17-2021 10:03 AM
Yes you can have multiple VPN IP Pools, these can be applied to users either dynamically via LDAP/RADIUS or statically configured on the tunnel-group/group-policy. The easiest thing in your scenario would be to create a dedicated tunnel-group, configure a new VPN pool and get the vendors to connect to this tunnel-group.
FTD does not support WebVPN, you can only use AnyConnect for Remote Access VPN.
05-17-2021 11:16 AM
I really appreciate your reply..!!
I would like to try right away, is there a document where I refer to configure tunnel-group?
Thank you.
05-17-2021 11:47 AM - edited 05-17-2021 12:18 PM
Tunnel group example below, this will be unique to the vendors, they would connect to the example url as defined using the group-url (obviously amend to fit your environment).
group-policy VENDORS internal
group-policy VENDORS attributes
vpn-tunnel-protocol ssl-client
address-pools value VENDORS_VPN_POOL
!
tunnel-group VENDORS type remote-access
tunnel-group VENDORS general-attributes
authentication-server-group LDAP
tunnel-group VENDORS webvpn-attributes
group-alias VENDORS enable
group-url https://asa-vpn1.company.com/vendors enable
FYI, Tunnel-group is actually the same as a Connection Profile. A tunnel-group is the name when configuring using the CLI and a Conneciton Profile if configuring using ASDM.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide