cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
31804
Views
15
Helpful
18
Replies

How restrict VPN users access to specific server

trinhphanle
Level 1
Level 1

Hi all

I configure ASA for remote access VPN and users authenticate by AD in our network. It works well, however I cannot restrict users access to specific servers. Let say I have 03 servers: A,  B, C. I just want some users can remote desktop to A, others to B, and others to C.

I tried with ACL but it does not work

Thanks for any advice

Here is the configuration:

VPN(config)# show run

: Saved

:

ASA Version 8.2(5)

!

hostname VPN

enable password 6D6QN6WC8bYkI6/v encrypted

passwd 6D6QN6WC8bYkI6/v encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address x.x.x.30 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.92 255.255.255.240

!

ftp mode passive

access-list NONAT extended permit ip x.x.0.0 255.255.0.0 192.168.2.0 255.255.255.128

access-list ACL-SPLIT-TUNNEL extended permit ip x.x.0.0 255.255.0.0 192.168.2.0 255.255.255.128

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN_POOL 192.168.2.0-192.168.2.128 mask 255.255.255.128

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 x.x.x.94 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server VPN protocol ldap

aaa-server VPN (inside) host x.x.x.x

ldap-base-dn dc=testing, dc=x

ldap-scope xxxxx

ldap-naming-attribute xxxxx

ldap-login-password *****

ldap-login-dn cn=x, cn=x, dc=testing, dc=x

server-type x

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set transform-set TRANSFORM_SET

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes

hash sha

group 2

lifetime 43200

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns x.x.x.x

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GROUP_POLICY internal

group-policy GROUP_POLICY attributes

banner value Welcome to xxxxxx

vpn-idle-timeout 120

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ACL-SPLIT-TUNNEL

tunnel-group TESTGROUP type remote-access

tunnel-group TESTGROUP general-attributes

address-pool VPN_POOL

authentication-server-group VPN

default-group-policy GROUP_POLICY

tunnel-group TESTGROUP ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:5f0a85d04c5e5138385af3bd8d0f8145

: end

18 Replies 18

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I guess you would first need to know what IP address the user will get when he/she logs on with VPN? At the moment I assume the ASA just allocates an IP address randomly from the VPN Pool to the user?

In that case I guess you couldnt really make rules based on the user IP address if it kept changing.

If you have tried an ACL to the "outside" interface then that wont work unless you change another setting

The default setting of the ASA is that it allows all traffic coming from a VPN Connection to bypass the interface ACL of the interface to which the VPN Clients connect. In this case your "outside" interface.

The default configuration command is

sysopt connection permit-vpn

If you were to change it to

no sysopt connection permit-vpn

Then you would have to allow ALL VPN related traffic in the interface ACL of "outside"

You could naturally also use an VPN Filter ACL attached to the "group-policy"

But I assume the main problem here is that the ASA provides the users with random IP address from the pool and that prevents from configuring the correct ACLs.

- Jouni

Thanks

I think the VPN filter ACL just use for users in local database of ASA. I tried at it and no users can remote access to servers. If I remove, it works.

I try to configure to get the scenerior that after users authenticate successfully with AD, they are allowed to VPN channel, but they just are allowed to access specific server not all

Thanks

Hi,

I would assume that the VPN Filter should work just fine when attached to the "group-policy" but the alternative way I described should let you use the "outside" interface ACL if you want.

But it still leaves the question on how are you going to build the ACL rules if the user isnt given a specific IP address every time.

- Jouni

Thanks

They will receive different IP when connect to VPN, but it is in the range: 192.168.2.0 255.255.255.128

And we can create ACL with that range

Please correct me if any misunderstand

Thanks

Hi,

Yes, that is possible.

But you mentioned that some users need to get to server A only and others to server B and others to server C.

How are you going to differentiate the users using that range of addresses from eachother. If everyone of them can access servers A, B and C then its easy ofcourse.

- Jouni

Thanks

I understand. I can assign static IP when user login by VPN. Could you please suggest me an ACL that prevent user: 192.168.2.1 255.255.255.128 log in to server x.x.x.30

Thanks for your help

Hi,

Let me give you another example.

Since you are configuring your first VPN connection on the above ASA there is no problem changing the "sysopt" setting.

You could enter this

no sysopt connection permit-vpn

After this we could start building the interface ACL which you could use to control the traffic from the VPN Clients.

Lets presume that you can allocate the user an IP address based on the login information. Lets also presume that the following are the starting information

Users:

  • User A: 192.168.2.1
  • User B: 192.168.2.2
  • User C: 192.168.2.3

Servers

  • Server A: x.x.x.1
  • Server B: x.x.x.2
  • Server C: x.x.x.3

Lets now presume that you wanted to allow connections from User A to Server A and from User B to Server B and so on. Then you could configure the following ACL

access-list OUTSIDE-IN remark Rules for VPN users

access-list OUTSIDE-IN remark User A

access-list OUTSIDE-IN permit ip host 192.168.2.1 host x.x.x.1

access-list OUTSIDE-IN remark User B

access-list OUTSIDE-IN permit ip host 192.168.2.2 host x.x.x.2

access-list OUTSIDE-IN remark User C

access-list OUTSIDE-IN permit ip host 192.168.2.3 host x.x.x.3

access-group OUTSIDE-IN in interface outside

The above configurations would allow all TCP/UDP traffic from the User A to Server A and so on. They wont not be able to access other servers other what is specified in the ACL.

Hope this helps

Naturally the other option is to use the VPN Filter ACL as it should work too to my understanding but the above is one option.

- Jouni

Hi,

NOTICE! If you are remotely configuring the ASA at the moment THEN DO NOT CHANGE THE "sysopt" setting. Otherwise you will prevent your remote connections through the VPN Client connection.

- Jouni

Thanks. You are very helpful

But I do not configure sysopt before. Could you please explain more about this command? Additionally, I use ASA version 8.2.

And if you can, please show me how to work with VPN Filter and ACLs

Thanks a lot

Hi,

The default setting of the "sysopt" setting I mentioned is

sysopt connection permit-vpn

It doesnt normally show in the CLI format configuration unless you use this command

show run all sysopt

The above mentioned default setting that you have in use at the moment simply means that any connections that is coming through a VPN connection (Client VPN, L2L VPN) will be able to bypass any ACL you may have configured on the "outside" interface. In other words the ACL wont apply to the VPN traffic but will apply to any traffic that is simply coming from the Internet (without VPN)

If you were to change this setting to the following

no sysopt connection permit-vpn

Then it would mean that the traffic coming through VPN connection would not be allowed through the firewall wihtout matching a rule that permits traffic on the interface where the VPN is connected.

This again would let you use the above ACL configurations I mentioned to control what traffic is allowed. Just like any traffic going through your ASA interfaces.

Here is the ASA 8.2 Command Reference section for that command which describes its use

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1517364

This document should explain the VPN Filter ACL

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#configss

- Jouni

Thanks for your help a lot

I will let you know the result soon

Thanks

If you have already integrated AD + DUO with your anyconnect...

Create a DAP for A, B, C

Create ACE, ACL under ACL Manager

A - Access to server A on port

B- Access to server B on port

C- Access to server B on port

then you have to allow your vpn pool range to get to where your servers resides. (might be a different firewall)

Deepak Kumar
Level 1
Level 1

Hi,

I agree with Jouni about the details shared with you.

As you are using LDAP authetication to the clients, so you can enforce static ip's assignment through the AD LDAP server to clients. by this way you will know about the IP address of any user and with that you can place vpn-filter for the clients. You don't need to assign all user the static ip, if you wants to restrict 3 users only just assign the ip address to them and remaining will get the ip address for pool accordingly.

By this way you don't need to remove the sysopt connection permit-vpn command on the ASA (which help you to bypass the vpn traffic on the outside interface). And also you don't need to add multiple acls on the outside interface for any VPN traffic.

Setting to enforce ip address for vpn user with LDAP:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_extserver.html#wp1661694


After that you can setup vpn-filter in the group-policy.

If you assigne IP address to A as 1.1.1.1 and restrict him to get access to the internal server 192.168.32.1.

same for B as 1.1.1.2 restrict him to 192.168.32.2.

             C as 1.1.1.3 restrict him to 192.168.32.3.

VPN-filter acl would be (ip address placed in reverse order):

access-list vpn_filter_acl deny host 192.168.32.1 host 1.1.1.1

access-list vpn_filter_acl deny host 192.168.32.2 host 1.1.1.2

access-list vpn_filter_acl deny host 192.168.32.2 host 1.1.1.3

access-list vpn_filter_acl permit any any ==> if don't want to permit all you can remove it as well as you can                                                                          add permit or deny statement as per your requirement.

(you can restrict or permit many users ip address as per your requirement)

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml#configss

group-policy GROUP_POLICY attributes

vpn-filter value vpn_filter_acl

- Deepak

Thanks for your help a lot Jouni

and thanks Kumar

It works fine. However, I found out a new problem.

That is when I use 01 laptop, use user 1 to establish VPN and remote to server B => fine

At the same time, I use another laptop to establish VPN (user 2) and remote to server B or C==> not working

After that I disconnect one of them ==> still not working until I reset the ASA

*  But if I connect 01 VPN connection, remote to server and disconnect  after that. Then connect another VPN connection (use different laptop)  => fine, I can remote any server I want

May the problem because of ASA version?

I use ASA 5505, version 8.2 and based license

Thanks for your advice