01-15-2010 12:29 AM
Hi,
I'm trying to map VPN group-policy to users in local database on ASA (Cisco Adaptive Security Appliance Software Version 8.0(4)12). It is Remote access VPN. Is it possible to have one tunnel-group for all remote vpn users and to map different group-policies to different user, so when user is authenticated, his group policy is applied to him (address pool, filter liste, etc)? All my users are getting policy from group-policy which id defined as default policy under my tunnel-group (!?):
ASA# sh run tunnel-group
default-group-policy POLICY3
tunnel-group GROUP1 ipsec-attributes
pre-shared-key *
ASA# sh run group-policy
group-policy POLICY2 internal
group-policy POLICY2 attributes
vpn-tunnel-protocol IPSec
address-pools value POOL2
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
group-policy POLICY3 internal
group-policy POLICY3 attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NONAT
user-authentication enable
address-pools value POOL3
group-policy POLICY1 internal
address-pools value POOL1
ASA# sh run username
username USER2 password g9O3SBOu.Lds9mV4 encrypted
username USER2 attributes
vpn-group-policy POLICY2
service-type remote-access
username test password 274Y4GRAbNElaCoV encrypted
username test attributes
vpn-group-policy POLICY2
service-type remote-access
username USER3 password cNH.ND6XX2p2UgNJ encrypted privilege 15
username USER3 attributes
vpn-group-policy POLICY3
username USER1 password jcSAXHlsFLpnIf2H encrypted
username USER1 attributes
vpn-group-policy POLICY1
service-type remote-access
01-15-2010 01:13 AM
This can be done in a different way - hopefully achieving what you want.
Basically you define tunnel-groups for each of your different VPN Client groups. So lets assume you have 3 client groups and each group has access to different internal resources, the tunnel-groups you create can apply a different IP pool thus allowing you to define different access policies in your group-policy configuration. In essence - you will have 3 tunnel-group configurations and 3 group-policy configurations ie:
ip local pool client1-vpn 10.0.24.1-10.0.24.63 mask 255.255.255.192
ip local pool client2-vpn 10.0.20.64-10.0.24.127 mask 255.255.255.192
ip local pool client3-vpn 10.0.24.128-10.0.24.159 mask 255.255.255.224
tunnel-group client1-vpn type ipsec-ra
tunnel-group client1-vpn general-attributes
address-pool client1-vpn
default-group-policy client1-vpn
tunnel-group client1-vpn ipsec-attributes
pre-shared-key *
tunnel-group client2-vpn type ipsec-ra
tunnel-group client2-vpn general-attributes
address-pool client2-vpn
default-group-policy client2-vpn
tunnel-group client2-vpn ipsec-attributes
pre-shared-key *
tunnel-group client3-vpn type ipsec-ra
tunnel-group client3-vpn general-attributes
address-pool client3-vpn
default-group-policy client3-vpn
tunnel-group client3-vpn ipsec-attributes
pre-shared-key *
group-policy client1-vpn internal
group-policy client1-vpn attributes
dns-server value x.x.x.x
vpn-filter value client1-vpn_filter
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value client1-vpn
default-domain value somewhere.com
group-policy client2-vpn internal
group-policy client2-vpn attributes
dns-server value x.x.x.x
vpn-filter value client2-vpn_filter
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value client2-vpn
default-domain value somewhere.com
group-policy client3-vpn internal
group-policy client3-vpn attributes
dns-server value x.x.x.x
vpn-filter value client3-vpn_filter
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value client3-vpn
default-domain value somewhere.com
Obviously you dont need to use split-tunneling - but this is just an example of how it can be done.
01-15-2010 03:54 AM
Well, what is the purpose of group-policy if any tunnel-group must have ONLY one group-policy applied? So, I cannot have one tunnel group for all users and couple of group-policies which I will applied to users? If I have to do for every group of users new tunnel group, then I can configure address pool and similar stuff under tunnel attributes...Why there is an option to apply group-policy for each user when it cannot be in use when all users connect with the same tuunel group?
01-17-2010 01:59 PM
bug in software 8.0.4(12).
after upgrade to 8.0.5 it's working with no problem.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: