11-10-2013 11:46 AM - edited 02-21-2020 07:18 PM
I have a Cisco ASA 5525-X.
Behind the firewall I have six seperate networks, with interface 0 connected to the Internet.
Cisco Anyconnect clients can connect from the Internet without any problems.
What I want to do is restrict users/groups to specific networks.
For instance -group1 can only connect to network1 after authentication.
The problem I have is that users that are NOT part of the tunnelgroup are still authenticated and get access to a network they shouldn't have access to.
In short I want six groups for six networks but can't seem to make this work.
The reason for this is that these networks are six distinct networks with one Internet feed.
I would be most gratefull if somebody can point me in the right direction.
thanks
11-10-2013 12:30 PM
Hi,
I am not sure how you have configured the current VPN Client setup.
Do you have "tunnel-group" for each of these 6 networks?
I guess in that case you have a "group-policy" for each "tunnel-group" that either restricts the traffic through Split Tunnel setting or with the use of VPN Filter ACL (or both)?
And if you have "username" configured for all the users on the ASA itself then you could naturally use the "username
You also have to ability to set that users "vpn-group-policy" under the "username
- Jouni
11-11-2013 08:58 AM
Hi Jouni
Life is simple when you know how.
Thanks for the quick response, works a treat.
I have used the "group-lock" command to lock users to a particular network, that's just what I wanted.
I do have one other question however not a showstopper. I have multiple vpn profiles so user can select the one to use. I would like if at all possible to not have the dropdown list but assign the correct profile to the user name.
When I de-select the option"Allow users to select connection profile" it uses the "DefaultWebVPNGroup". The dropdown box with the vpn selections is now gone but my vpn logon now also fails.
I have tried several settings in the users properties but so far, no joy.
Peter
11-11-2013 10:09 AM
Hi,
I got to admit that I am a bit rusty on the VPN Client side.
In some of our environments we utilize the default RA (Remote Access) "tunnel-group" only and use a separate AAA server to return the correct group for the user based on their login information.
Now if we had to do this with just the ASA then I am not 100% sure how to set it up. I wonder if the solution would then be to remove all the non default "tunnel-group" configurations related to the type of VPN you are using and simply using the default "tunnel-group" and assigning "username" different "group-policy" based on their need?
In other words using only the default "tunnel-group" there would be nothing to choose from in the drop down menu but the "group-policy" attached to the "username" would define to which networks traffic would be tunneled and so on.
I guess this would still require you to configure an "address-pool" under the default "tunnel-group" or you would have to define each users IP address under the "username
To view the default "tunnel-group" and "group-policy" configurations on the CLI of the ASA you would have to use this command
show run all tunnel-group
show run all group-policy
Do take note that these commands print out a lot more information/configurations than the usual "show run" variation. This is because the command also shows the default settings which arent otherwise visible in the "show run" output.
Would really need to test this myself to be able to give you an 100% sure answer.
- Jouni
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: