10-06-2008 10:05 AM - edited 02-21-2020 03:58 PM
Hello!
How do I ensure that my VPN users that are connected using AnyConnect VPN to my ASA5520 have the same access restrictions/permissions as those connected locally?
Assign a pool in the same vlan/subnet as those connected locally?
Any input helps. Thanks
10-06-2008 11:23 AM
Use VPN filters, you can configure group policies , or per user vpn filters to control access for RA clients to your inside resources.
Rgds
Jorge
10-06-2008 01:19 PM
Thanks Jorge,
I'll check out that doc.
So, just to clarify, if I had users on VLAN 10 on my Main site, the only way to allow my VPN users the same access permissions as those users in VLAN 10 is through VPN filters.
I can't just put my VPN users on VLAN 10 and that would auto-magically give them access to the same networks/resources as the Main site local LAN users.
???
Thanks.
10-06-2008 04:49 PM
Your annyconnect RA clients should have unique separate network from any other internal subnets and you will find much easier management and administration as soon as you start creating different RA tunnels for different purposes in future, at least this is my practice and find easy to administer and/or troubleshoot. If you decide using VPN tunnel network the same as an inside subnet you may encounter problems down the road which will be hard to troubleshoot.
Now you have VLAN10 subnet internally, if I understand correctly you want RA clients have the same access VLAN10 users have,my question to you is what type of access are you refering to? does VLAN10 users have access to certain internal networks or specific hosts and some don't? if this is so when you use vpn filters build the same access control you have defined for VLAN10 users, you don't necessarily have to create per user vpn filers but rather a group policy defining the permit access through the acl and apply it to the Annyconnect RA tunnel if the intend is for the whole tunnel group, just as shown in the RA vpn filter example link posted excluding the per user vpn filer.
Rgds
Jorge
10-07-2008 09:15 AM
I see.
So, use the same ACL statements but change the source address to the pool of address used by the VPN users.
It was mentioned on the DOC that the filter is applied both direction. How does that affect return traffic?
Thanks for the help and advice.
I'll test these.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide