Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
927
Views
5
Helpful
3
Replies

Cisco ASA 5510 - VPN (AnyConnect) restrictions based on AD user or IP address

Go to solution
Kevin_W
Level 1
Level 1

‎01-28-2016 06:07 AM - edited ‎02-21-2020 08:39 PM

Hello,

I want to to test how to restrict AnyConnect User on an ASA 5510. In the policy I can define which networks will go through the VPN tunnel and which not (split-tunneling). The ASA has a LDAP connection and only AD users with a special security-group can connect via AnyConnect.
But furthermore I would like to restrict the access for special users within one VPN policy.

So my question:
What are your recommendations to implement this szenario?

My two ideas would be:
1. Access rules based on the AD user. 
2. Reserve special IP addresses in the AnyConnect address pool for some user so I can restrict the access in the normal firewall ruleset based on the source IP.

What are your recommendations and is it possible to realize my ideas (and how)?



Thanks in advance


Best regards

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Diego Lopez
Level 1
Level 1

‎01-28-2016 08:35 AM

Hello,

I will suggest that you configure a second AD group in the server and another group policy in the ASA you can configure certain access on each group policy "setup filters, assign different split tunnel policy, different ACL" and in the AD server you can assign the users for example to AD group A and AD group B based on the access that you want to give them now you need to configure LDAP mapping to assign the user the particular group policy that you want based on the AD group that they are part of.

You can follow this documentation that will help you configure the LDAP mapping:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Regards, please rate.

View solution in original post

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Diego Lopez

‎01-28-2016 11:06 AM

I believe that there are two approaches that could be used to satisfy this requirement. The approach that has been available longer is to use LDAP mapping to base authentication on user attributes learned via LDAP as suggested in the previous post. The newer alternative is to use Dynamic Access Policy. DAP overcomes some issues that arise in using LDAP mapping such as restrictions of using memberof where the user is a member of more than one group. Also DAP allows you to configure access lists within the Dynamic Policy that can tailor user access to network resources.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
3 Replies 3

Go to solution
jagmeesi
Level 1
Level 1

‎01-28-2016 08:18 AM

Hi

Please got through the following links :

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

I think what you can do is , with the help of above mentioned documents you can assign a particular group-policy to the Users connecting from AD database having a particular Group in AD. You can define the vpn-pool of the intended ip address range in that group-policy.

Regards

Jagmeet Singh

Go to solution
Diego Lopez
Level 1
Level 1

‎01-28-2016 08:35 AM

Hello,

I will suggest that you configure a second AD group in the server and another group policy in the ASA you can configure certain access on each group policy "setup filters, assign different split tunnel policy, different ACL" and in the AD server you can assign the users for example to AD group A and AD group B based on the access that you want to give them now you need to configure LDAP mapping to assign the user the particular group policy that you want based on the AD group that they are part of.

You can follow this documentation that will help you configure the LDAP mapping:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

Regards, please rate.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Diego Lopez

‎01-28-2016 11:06 AM

I believe that there are two approaches that could be used to satisfy this requirement. The approach that has been available longer is to use LDAP mapping to base authentication on user attributes learned via LDAP as suggested in the previous post. The newer alternative is to use Dynamic Access Policy. DAP overcomes some issues that arise in using LDAP mapping such as restrictions of using memberof where the user is a member of more than one group. Also DAP allows you to configure access lists within the Dynamic Policy that can tailor user access to network resources.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents