Remote Access VPN in ASA with Multiple Groups

fatalXerror · ‎09-04-2015

Hi Experts,

Good Day!

I have an implementation of remote-access VPN in ASA and the my client wants to have a per departmental access such as if you are a HR you only have access to HR apps, if you are a Legal you only have access to Legal, etc.

In my mind, I will create multiple group-policy in ASA which pertains to the different department and I will configure multiple crypto ACLs based on department also. However, it seems to be having an issue because you can only bind 1 ACL to 1 interface which is the outside interface.

Is it possible that I will not bind any crypto ACLs in an interface but I will bind the ACL in the group policy? Or it is much better if I use the dynamic access policy (DAP)?

Thanks

pjain2 · ‎09-04-2015

you do not have crypto acl for remote access vpn; you have split-tunnel acl

if you are trying to configure anyconnect client (cisco ipsec vpn client is already out of support) and you need different department users to have access to different applications, here is what you can do:

1. use an authentication server like LDAP and make different groups for different users on the server

2. then to whichever group the user authenticates to, assign a group-policy using ldap attribute map

3. create a NOACCESS policy so that the users who are not authenticated are not allowed to connect

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/91831-mappingsvctovpn.html

you can configure split-tunneling for different departments in different group-policies so that the different user groups can access only certain networks

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/70917-asa-split-tunnel-vpn-client.html