12-08-2010 04:34 AM - edited 02-21-2020 05:01 PM
Dear All.
I have speacial requirement of only allowing couple of URLS through remote access vpn. e.g. vpn users should be able to access below urls through vpn
www.abc.com\form\do\nect\user.html
I can not user webvpn/sslvpn/any connect client/
i can use only remotes access vpn client to connect to ASA
ASA is 5510 with 8.2.1
please let me know how to do it and if possible please provide step by step procedure.
12-08-2010 05:16 AM
Hi,
A way to do this is to allow the remote access VPN connections into the ASA.
Then, allow u-turn so that the VPN clients can get out to the internet via the ASA.
And.... configure MPF to only permit the desired URLs.
Check this link:
https://supportforums.cisco.com/docs/DOC-1268
Federico.
12-08-2010 05:36 AM
Thnk for your reply.
Since ASA will allow specified ip address from vpn pool to allowed hosts through nat exmption rule in case remote access vpn. so please help me to understand your suggestion.
also can i use DAP for this requirement.
12-08-2010 07:29 AM
ie.
VPN client pool 10.1.1.0/24
Internal range 172.16.0.0/24
Configuration to allow internet access to for the VPN clients (u-turn):
same-security-traffic permit intra-interface
nat (outside) 1 172.16.0.0 255.255.255.0
global (outside) 1 interface
The above configuration will allow u-turn for the VPN traffic to the Internet using PAT.
The requirement is that all VPN traffic should be sent through the tunnel (no split-tunneling).
Additionally configure MPF to check which URLs are allowed.
Federico.
12-08-2010 07:59 AM
Thnx federico,
Your solution will be correct if have URLS hosted over internet, but in my case URLs are hosted in DMZ and in inside network.
i want remote access client vpn to be configured.
users will acess this vpn through vpn dialer.
users should be access to particular url only.
i have many urls hosted on same server
e.g. www.abc.com\exmple\trd\main.aspx..................user should access this
www.abc.com\example\trd.................user should not be able to acess this
www.abc.com\exmple\trd\main\access.html..................user should not access this
Thnx for your response.
12-08-2010 08:03 AM
I see what you're saying... but the same concept applies then...
The VPN clients connect to the ASA (tunnel terminates here).
The VPN client tries to go to the URL.
By DNS or any other method, the VPN client is instructed that to reach the URL it should send the traffic to the DMZ (instead than to the Internet).
The MPF can be configured to permit/filter the URLs (on the Internet or on any other interface of the ASA).
Is this making more sense?
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide