01-15-2010 12:29 AM
Hi,
I'm trying to map VPN group-policy to users in local database on ASA (Cisco Adaptive Security Appliance Software Version 8.0(4)12). It is Remote access VPN. Is it possible to have one tunnel-group for all remote vpn users and to map different group-policies to different user, so when user is authenticated, his group policy is applied to him (address pool, filter liste, etc)? All my users are getting policy from group-policy which id defined as default policy under my tunnel-group (!?):
ASA# sh run tunnel-group
default-group-policy POLICY3
tunnel-group GROUP1 ipsec-attributes
pre-shared-key *
ASA# sh run group-policy
group-policy POLICY2 internal
group-policy POLICY2 attributes
vpn-tunnel-protocol IPSec
address-pools value POOL2
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec webvpn
group-policy POLICY3 internal
group-policy POLICY3 attributes
vpn-idle-timeout 30
split-tunnel-policy tunnelspecified
split-tunnel-network-list value NONAT
user-authentication enable
address-pools value POOL3
group-policy POLICY1 internal
address-pools value POOL1
ASA# sh run username
username USER2 password g9O3SBOu.Lds9mV4 encrypted
username USER2 attributes
vpn-group-policy POLICY2
service-type remote-access
username test password 274Y4GRAbNElaCoV encrypted
username test attributes
vpn-group-policy POLICY2
service-type remote-access
username USER3 password cNH.ND6XX2p2UgNJ encrypted privilege 15
username USER3 attributes
vpn-group-policy POLICY3
username USER1 password jcSAXHlsFLpnIf2H encrypted
username USER1 attributes
vpn-group-policy POLICY1
service-type remote-access
01-15-2010 01:13 AM
This can be done in a different way - hopefully achieving what you want.
Basically you define tunnel-groups for each of your different VPN Client groups. So lets assume you have 3 client groups and each group has access to different internal resources, the tunnel-groups you create can apply a different IP pool thus allowing you to define different access policies in your group-policy configuration. In essence - you will have 3 tunnel-group configurations and 3 group-policy configurations ie:
ip local pool client1-vpn 10.0.24.1-10.0.24.63 mask 255.255.255.192
ip local pool client2-vpn 10.0.20.64-10.0.24.127 mask 255.255.255.192
ip local pool client3-vpn 10.0.24.128-10.0.24.159 mask 255.255.255.224
tunnel-group client1-vpn type ipsec-ra
tunnel-group client1-vpn general-attributes
address-pool client1-vpn
default-group-policy client1-vpn
tunnel-group client1-vpn ipsec-attributes
pre-shared-key *
tunnel-group client2-vpn type ipsec-ra
tunnel-group client2-vpn general-attributes
address-pool client2-vpn
default-group-policy client2-vpn
tunnel-group client2-vpn ipsec-attributes
pre-shared-key *
tunnel-group client3-vpn type ipsec-ra
tunnel-group client3-vpn general-attributes
address-pool client3-vpn
default-group-policy client3-vpn
tunnel-group client3-vpn ipsec-attributes
pre-shared-key *
group-policy client1-vpn internal
group-policy client1-vpn attributes
dns-server value x.x.x.x
vpn-filter value client1-vpn_filter
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value client1-vpn
default-domain value somewhere.com
group-policy client2-vpn internal
group-policy client2-vpn attributes
dns-server value x.x.x.x
vpn-filter value client2-vpn_filter
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value client2-vpn
default-domain value somewhere.com
group-policy client3-vpn internal
group-policy client3-vpn attributes
dns-server value x.x.x.x
vpn-filter value client3-vpn_filter
vpn-tunnel-protocol IPSec
split-tunnel-policy tunnelspecified
split-tunnel-network-list value client3-vpn
default-domain value somewhere.com
Obviously you dont need to use split-tunneling - but this is just an example of how it can be done.
01-15-2010 03:54 AM
Well, what is the purpose of group-policy if any tunnel-group must have ONLY one group-policy applied? So, I cannot have one tunnel group for all users and couple of group-policies which I will applied to users? If I have to do for every group of users new tunnel group, then I can configure address pool and similar stuff under tunnel attributes...Why there is an option to apply group-policy for each user when it cannot be in use when all users connect with the same tuunel group?
01-17-2010 01:59 PM
bug in software 8.0.4(12).
after upgrade to 8.0.5 it's working with no problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide