Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1075
Views
0
Helpful
9
Replies

How does one restrict certian VPN users to only acces certian internal IPs?

clmcosysadmin
Level 1
Level 1

‎04-21-2006 03:37 PM

I'm still realatively new to CISCO and have searched the question archives for similiar answers. Then again perhaps I'm not using the right search criteria.

I have a ASA5510 and so far primarily use the ASDM as I'm still very much a novice yet at using the CLI.

I've set up remote VPN access for external users and it's working good ...

What I'd still like to do is have ...

Some (sysadmin) remote users be able to access to all the IPs on the internal network while most of the users (departmental managers) only need access to about 10 IPs.

Is there a "cookbook" method to go about accomplishing this?

Thanks,

Roy

Labels:
0 Helpful
9 Replies 9

attrgautam
Level 5
Level 5

‎04-21-2006 09:10 PM

What you could do is create 2 different groups and sysadmin can login to the first group and access all the content. The users in the 2nd group can access the restricted resources which you can implement using split-tunneling on the ASA.

This is the only method i can think of for now.

0 Helpful

clmcosysadmin
Level 1
Level 1
In response to attrgautam

‎04-25-2006 01:41 AM

Thanks for the suggestion!

I try that approach.

0 Helpful

dro
Level 1
Level 1
In response to clmcosysadmin

‎05-04-2006 11:34 AM

If you use radius as an xauth for your remote vpn users, you can configure your radius server to send an ACL name to the PIX, which can be applied as additional filtering.

As an example, I have a few different VPN groups setup to define general access restrictions (users/admins/etc), as well as downloadable ACL's which get applied to each remote users VPN connection to further restrict areas based on the particular user (or group).

On my radius server (FreeRADIUS), this is configured with the variable Filter-Id, which references the name of an ACL on the PIX to apply to the remote user.

This document may be useful if you end up adding this extra level of filtering:

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_configuration_guide_chapter09186a00801fd703.html

Cheers,

-Joshua

0 Helpful

stephen
Level 1
Level 1
In response to dro

‎07-21-2006 10:17 AM

Joshua,

How did you go about configuring your freeradius server? Are you using linux version? I am trying to setup a 802.1x auth with freeradius on 2950 switch. Any help in configuring freeradius would be greatly appreciated.

0 Helpful

dro
Level 1
Level 1
In response to stephen

‎07-21-2006 11:53 AM

Hi Stephen,

Yes, I'm using the Linux version. It was a straight forward configuration. The only change was that I had to configure it to use the old radius and radaccounting ports (1645/1646 respectively) by editing the /etc/raddb/radiusd.conf file (search for "port =").

The port to use depends on which RFC Cisco is following for that device. The newer RFC's define the port as 1812, and I believe FreeRadius defaults to this port as well. If you're unsure, start up tcpdump and watch for the requests.

After you have your ports setup properly, it's just a matter of editing your /etc/raddb/clients.conf file to set it up properly with the right secret. Also, set your nastype to cisco.

Cheers,

-Joshua

0 Helpful

stephen
Level 1
Level 1
In response to dro

‎07-23-2006 07:21 PM

Joshua,

I am not having any problems figuring that out it is figuring out how to setup the user credentials so that a user can authenticate the port.

Are you using the any kind of SQL for user accounts? What is your recommendation on user credentials?

Thanks,

Stephen

0 Helpful

dro
Level 1
Level 1
In response to stephen

‎07-24-2006 05:02 AM

Hi Stephen,

No, I'm using local accounts on the server, but nothing to do with 802.1x.

Google shows quite a lot of hits concerning FreeRadius and 802.1x authentication. Two of the most likely candidates listed below:

http://www.tldp.org/HOWTO/html_single/8021X-HOWTO/

http://security.fi.infn.it/TRIP/802.1x-wired/802.1x-wired.html

-Joshua

0 Helpful

grant.maynard
Level 4
Level 4

‎07-22-2006 03:12 PM

setup two vpn groups, one for sysadmin, one for users.

create two pools of addresses, assign one pool to each vpngroup.

On the ACL inbound to the outside interface, add lines to restrict VPN traffic, e.g.

acl in_outside permit ip [sysadmin pool] any

acl in_outside permit ip [user pool] [selected IPs]

Finally, force all VPN traffic through the in_outside ACL by putting "no sysopt connect permit-ipsec" in the config.

0 Helpful
Customers Also Viewed These Support Documents