03-20-2016 08:14 AM
Hi Everyone,
I need a help with Anyconnect Configuration.
The objective is to set up Anyconnect VPN (over SSL) on ASA. The VPN can terminate on two interfaces - Inside or Outside. We want to allow a split tunneling for users terminating their VPN on inside interface (inside company network) and disallow this feature for users terminating their VPN on outside interface (Internet).
All users can terminate their VPN on both interfaces, Inside and Outside. They need to use always the same user account.
Everything seems to be easy, with one expection - Split Tunneling set-up.
I though that this could be done through the split-tunneling ACL settings in Group Policy, however it looks like this is not the case - I can only specify networks, for which all the traffic should be included/excluded from the VPN tunnel. I'm not actually able to specify, when the split tunneling should be used and when not based on what Interface the VPN session is established on (Inside/Outside).
Somehow I sense that this should be done through Group Policy which is linked to Anyconnect Connection Profile. What I don't know is how to dynamically set up the Group Policy for each user upon login to the VPN without users having to select a Connection Profile (with different Group policy and Split Configuration) from drop-down list.
Is there any way, how to automatize the process and dynamically assign Group Policies in Anyconnect Connection Profile based on what interface the VPN terminates on (or based on what IP address the VPN connection is being negotiated)?
We'll be using LDAP server for VPN Authentication if that makes any difference in terms of Group Policies assignment etc.
Any hint/help is well appreciated.
Thank you guys.
03-20-2016 08:29 AM
What I don't know is how to dynamically set up the Group Policy for each user upon login to the VPN without users having to select a Connection Profile
So there are two things:
1. Allow users to connect without giving them
2. Dynamically setup the
Good that you mentioned you are using LDAP for authentication.
Now for the tasks to be accomplished
1. Allow users to connect without giving them
You could perhaps use group-
Here is a document for your reference.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98580-enable-group-dropdown.html
NOTE: The caveat is if the user still browses to https://abc.cisco.com, they will still be able to see drop down for your other users so you might have to disable the drop down completely.
2. Dynamically setup the
You may leverage your LDAP server to assign group-policy as per the group/container, the user is part
You could make all the users who wish to be in split-tunneling part of one AD group and all the other users for tunnel all to be in another AD group.
This way whenever a user connects, you can allow all the users to connect to single connection profile( e.g. DefaultWEBVPNGroup ) and they will get group-policy according to the AD mapping on ldap server.
Here is a doc for your reference:-
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/98634-asa-ldap-group-pol.html
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
03-20-2016 08:57 AM
Hi Dinesh,
I'm not sure this solution will work - this way every user will have 2 user accounts - one for establishing VPN on inside interface (with Split Tunneling) and one for establishing VPN on outside interface (without split tunneling - when outside the office). Then based on what user account is used the group policy is applied.
It would be great, if every user had only one account and connection profiles/group policies/split tunneling would be automatically determined based on what interface the VPN connection is terminated/initiated. I would even settle down for having to select a connection profile from drop-down list upon login to VPN as long as it's possible to restrict certain connection profiles based on what interface the VPN is being initiated.
Thank you for the reply.
04-14-2016 08:04 AM
Peter,
I have figured out how to do this with Cisco ISE but not sure how this would be done with any other radius server.
In Cisco ISE, I setup a authorization policy that identifies traffic by the radius value Calling-Station-ID(31). In my case the Calling-Station-ID is coming from a 10.x.x.x network. The resulting response to this policy that goes to the ASA is a CoA that contains the Group Policy Name that has Split Tunnel applied at the ASA. In ISE there is Authorization Profiles that have a field for ASA VPN which is where a Group Policy Name can be applied to an authorization session.
All other authorizations drop past this policy and get the Tunnel All Group Policy applied.
Let me know if this is not clear and I will write more detail.
04-04-2016 11:15 AM
I'm sorry, I don't have answer but I am searching for the same basic solution. With ISE it is possible to assign a dynamic Group Policy, but my struggle is to find a way to identify the traffic as internal or external. My first thought was to use the source ip address of the vpn user but I have not found a way to create a policy that triggers on source ip address of a vpn. The source ip address does show up in ISE as the Endpoint ID. Hope we can solve this one.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide