Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10086
Views
9
Helpful
4
Replies

Restrict Anyconnect VPN user access to few inside subnets

muhammad ismail
Level 1
Level 1

‎04-28-2013 02:38 PM - edited ‎02-21-2020 06:51 PM

HI,

How can i restrict the access of Anyconnect VPN users  to few inside hosts. And can i configure ASA to assign IP's from multiple subnets to  different annyconnect users.And can we restrict the access of Annyconnect Vpn user based on their user-ID

Labels:
0 Helpful
4 Replies 4

muhammad ismail
Level 1
Level 1

‎04-29-2013 01:19 AM

This can be achieved by linking usersname attributes to different group-policies. To restrict access inside a group policy we can use vpn-filter value "acl number" command.

Rudy Sanjoko
Level 4
Level 4

‎04-29-2013 01:51 AM

yes, it is possible, there are some ways of doing it, see below links for examples and explanations.

Configure ACS to Assign a Group Policy at Login

VPN Access using Downloadable ACL

Hope this helps.

0 Helpful

Andrew Phirsov
Level 7
Level 7
In response to Rudy Sanjoko

‎04-29-2013 03:24 AM

There's a concept of group-policies on the ASA. Each group policy can be assigned different address-pool (wich controlls what addresses will be allocated to clients, using this GP) and vpn-filter acls (wich restricts access to resources, defined in the ACL).

In the config it looks this:

group-policy GUSTOM_GP attributes

        vpn-filter value FILTER_ACL

        address-pool value POOL

Group policy with defined attributes can be attached to specific tunnel group, as default group policy for the tunnel group, or applied to user itself.

Plus, vpn-filter and address can be assigned specifically to the user, with commands:

username vpnuser attributes

vpn-filter value vpnuser_filter

vpn-framed-ip-address x.x.x.x

scrye
Level 1
Level 1
In response to Andrew Phirsov

‎06-28-2015 11:33 AM

Hi,

We can't get this to work with the LDAP authentication.  LDAP authenticated users are getting around the group-policy (ASA) filters by picking the full access group from the dropdown in the windows Anyconnect client,  then logging in with their AD account.

Also, from anyconnect mobile,  there is no dropdown to pick the more permissive group, and power users are hitting the default,  more restrictive group.

Help...

0 Helpful
Customers Also Viewed These Support Documents