Hello all. I have an ASA 5510 SSL VPN that is serving all the 3rd party remote access VPN clients for my organization. The SSL VPN provides a group policy for each company, and for each company group policy we create a dhcp pool. Our extranet firewall controls which company has access to what destinations based on the IP address range that was provided to them (the dhcp pool). Under the tunnel-group configuration, we add the company's group policy and then configure them to authenticate to an RSA server (SDI). We configure a different alias for each company so that we can separate each company based on the URL that they access. Then, we contact the company and provide them their URL to access the SSL VPN. As soon as they access the URL and authenticate to the RSA server, they get assigned the correct DHCP pool based on whatever pool is configured under their group policy. This works, however we have some problems.

Problem -

Company X has been provided access to confidential information through our extranet firewall based on the source IP address that they were assigned by their group policy. Company X accesses the SSL VPN using the URL ssl.vpn.com/X. They authenticate to the RSA server and once authenticated get assigned the dhcp pool that was configured for company X.

Company Y should only have access to 2 PCs on our network based on the dhcp pool we configured for them under their group policy. They access the SSL VPN using the URL ssl.vpn.com/Y. However, through word of mouth, they discovered that they can type in the URL for company X, authenticate to the the same RSA server and get the IP range that was allocated to Company X. and get access to all the confidential information that they should not be authorized to access.

How can we fix this and separate these companies access rights? I would rather we do not perform the separation on the SSL VPN itself, but I welcome all suggestions. Thanks a million as always.