11-02-2009 12:38 PM
We have multiple WebVPN login pages on our ASA5510. We have recently created a new connection for an outside company to access 1 resource via the WebVPN.
I have looked around on ASDM and found the Web ACLs feature, but can't seem to figure out how to get it to work.
I want to restrict http://mywebvpn/OutsideCompany to a specific set of IP addresses. All other IP addresses should not be able to access this page.
In addition to doing this, we want to try and figure out a way to disable the default login page http://mywebvpn and make users type in http://mywebvpn/employee, any suggestions?
any help is appreciated.
11-02-2009 01:37 PM
If a group-url is not specified (ie group-url https://mywebvpn/
-You can play around with the customization thats applied to the DefaultWEBVPNGroup to adjust how the login page actually looks and to provide instructions to the user which indicate how to use the webvpn to your company.
-Restricting by IP might be more complicated than just restricting by username. If your outside contractors belong to a certain group in AD you can easily setup and ldap mapping to force them to use certain settings (for example force them into a group policy that locks them to the tunnel group youve called OutsideCompany). You can also use the parameters sent back from authentication to restrict the connection so theyre not able to actually log in (you can use ldap mappings, radius ietf groups, group-lock features on the asa, etc). See the following document for more information about mappings:
https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
-You can configure a Dynamic Access Policy alone or in addition to your authentication so that a user message is be displayed for users who hit this group or you can use the DAP to restrict access to the content they see. For more info about DAP see:
http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml
-You could set a group-url of https://mywebvpn on some other tunnel-group and restrict access for that group
There is an enhancement request open to create a way to disable the fall back to the DefaultWEBVPNGroup in the event that you only want users to connect via the group-url and not fall back to the DefaultWEBVPNGroup if no url is entered (see CSCsv54922)
11-03-2009 10:52 AM
thanks for the response hdashnau.
The main reason we want to restrict by IP is because we have a contract that says they are only allowed to connect to our systems from their brick and mortar building. We wanted to figure out a way that would only allow access from their set of IPs. If there is a connection to the appliance outside of the specified IP range for that WebVPN tunnel, we want to be notified to take security measures into place.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide