cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
31819
Views
15
Helpful
18
Replies

How restrict VPN users access to specific server

trinhphanle
Level 1
Level 1

Hi all

I configure ASA for remote access VPN and users authenticate by AD in our network. It works well, however I cannot restrict users access to specific servers. Let say I have 03 servers: A,  B, C. I just want some users can remote desktop to A, others to B, and others to C.

I tried with ACL but it does not work

Thanks for any advice

Here is the configuration:

VPN(config)# show run

: Saved

:

ASA Version 8.2(5)

!

hostname VPN

enable password 6D6QN6WC8bYkI6/v encrypted

passwd 6D6QN6WC8bYkI6/v encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlan1

nameif inside

security-level 100

ip address x.x.x.30 255.255.0.0

!

interface Vlan2

nameif outside

security-level 0

ip address x.x.x.92 255.255.255.240

!

ftp mode passive

access-list NONAT extended permit ip x.x.0.0 255.255.0.0 192.168.2.0 255.255.255.128

access-list ACL-SPLIT-TUNNEL extended permit ip x.x.0.0 255.255.0.0 192.168.2.0 255.255.255.128

pager lines 24

logging asdm informational

mtu inside 1500

mtu outside 1500

ip local pool VPN_POOL 192.168.2.0-192.168.2.128 mask 255.255.255.128

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 0 access-list NONAT

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 x.x.x.94 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server VPN protocol ldap

aaa-server VPN (inside) host x.x.x.x

ldap-base-dn dc=testing, dc=x

ldap-scope xxxxx

ldap-naming-attribute xxxxx

ldap-login-password *****

ldap-login-dn cn=x, cn=x, dc=testing, dc=x

server-type x

http server enable

http 192.168.1.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map dyn1 1 set transform-set TRANSFORM_SET

crypto map mymap 1 ipsec-isakmp dynamic dyn1

crypto map mymap interface outside

crypto isakmp enable outside

crypto isakmp policy 1

authentication pre-share

encryption aes

hash sha

group 2

lifetime 43200

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd dns x.x.x.x

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

group-policy GROUP_POLICY internal

group-policy GROUP_POLICY attributes

banner value Welcome to xxxxxx

vpn-idle-timeout 120

split-tunnel-policy tunnelspecified

split-tunnel-network-list value ACL-SPLIT-TUNNEL

tunnel-group TESTGROUP type remote-access

tunnel-group TESTGROUP general-attributes

address-pool VPN_POOL

authentication-server-group VPN

default-group-policy GROUP_POLICY

tunnel-group TESTGROUP ipsec-attributes

pre-shared-key *****

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:5f0a85d04c5e5138385af3bd8d0f8145

: end

18 Replies 18

By the way, I try to assign static IP address as the document but not working.

Thanks for you help

Hi,

I found one bug info with it but before following this try to configure the LDAP settings correctly. If you are facing any issues check the LDAP debugs on ASA.

debug ldap 255

https://supportforums.cisco.com/docs/DOC-32772

STATIC IP CONFIG:

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/selected_topics/enforce_AD.html

<==================================>

Bug was first found in 8.0.3 code:

CSCsm00894

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsm00894

- Deepak

Deepak Kumar
Level 1
Level 1

Hi,

With local based authentication you can also assign static ip address:

username testuser password test123

username testuser attributes

vpn-framed-ip-address 192.168.2.7 255.255.255.0

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080a7afb2.shtml

- Deepak

Thanks Kumar

I meant that I can establish VPN connection well, but 02 users can not remote desktop to sesrver at the same time.

If I try, looks like the I cannot remote desktop any more, until I reset the ASA.

In addition, If I connect via VPN and remote desktop, after that I disconnect, I can connect VPN by another user with different PC and can remote desktop to server too

Thanks