03-23-2016 07:40 AM - edited 02-21-2020 08:44 PM
We have a clientless SSL VPN web page setup that allow employees and contractors to login and view internal web page. I was ask if possible to separate employees and contractors from accessing internal web page. The internal web page does not have users authentication. They would like to see if it's possible that employees traffic get proxy behind INSIDE interface IP of ASA, and contractor traffic get proxy behind different IP. So, the internal web page can check for IP of contractor and only grant them access to view certain web page but not all pages.
Solved! Go to Solution.
03-23-2016 03:19 PM
Hello,
Creating a group policy for each user group will be a good option you can also use DAP to assign a web ACL to the user that is connecting to the clientless portal, you can use Cisco, LDAP or Radius attributes to associate the DAP to the user. For example if you are using LDAP you can create 2 separate groups there for employees and contractors and based on the LDAP group membership of the user they will be assigned with the specific web acl that you configured based on their access restrictions.
You can follow this link to configure a web acl:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/acl_webtype.html#wp1100532
Once the ACL is ready you can follow this guide to setup the DAP: "check figure10 for web acls"
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html#intro
Thanks, please rate!.
03-23-2016 09:17 AM
The way clientless SSL VPN is ASA will always proxy the client request on the interface the where the destined resource is located.
If it suits you, you can have either employees or contractors go for anyconnect client based solution.
Else create different group-policy for the contractors and then create specific bookmarks for them which they are authorized to access and then disable the URL link so that they can't access anything other than that.
Check this section "Observing Clientless SSL VPN Security Precautions" in this document :
"http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/webvpn.html#wp999589"
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-23-2016 03:19 PM
Hello,
Creating a group policy for each user group will be a good option you can also use DAP to assign a web ACL to the user that is connecting to the clientless portal, you can use Cisco, LDAP or Radius attributes to associate the DAP to the user. For example if you are using LDAP you can create 2 separate groups there for employees and contractors and based on the LDAP group membership of the user they will be assigned with the specific web acl that you configured based on their access restrictions.
You can follow this link to configure a web acl:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa83/asdm63/configuration_guide/config/acl_webtype.html#wp1100532
Once the ACL is ready you can follow this guide to setup the DAP: "check figure10 for web acls"
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/108000-dap-deploy-guide.html#intro
Thanks, please rate!.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide