Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
804
Views
0
Helpful
1
Replies

Restricting Users to Specific Resources

wj343
Level 1
Level 1

‎06-24-2019 03:17 PM

I'm currently using an ASA 5510 with AnyConnect that is deployed in my network.

 

I have a scenario where I need to create about 250-500 user accounts on the device, where each account has access to anywhere from 1-10 different resources (IP addresses) on the VPN network. Additionally, the users and their access to resources would be constantly changing (adding/deleting users, changing which resources a user can access, etc.), on a near hourly basis.

 

For example:

  • User #1: allow: 172.16.0.1, 172.16.0.3, 172.16.0.5
  • User #2: allow: 172.16.0.7
  • User #3: allow: 172.16.0.9, 172.16.0.11
  • etc, etc, etc...

I've read that by assigning a static IP address to each user, I could create ACL's to allow/deny the user to access certain resources. However, at my scale, there seems to be several problems to this approach:

  • I'll only have 10-20 users connected at any single point in time. Reserving a range of 500+ IP addresses would seem very wasteful and be a pain to configure/manage.
  • A user might want to connect on two separate devices at the same time, which may be problematic if they are only assigned a single static IP address.

I'm thinking of creating a split tunnel with a single profile to route the entire 172.16.0.0/12 to my ASA, then use some sort of user-based IP ACL to restrict the traffic.

 

Is this a feasible project with the ASA, and if so, could anyone recommend what configuration to use to achieve this?

 

Labels:
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎06-24-2019 05:18 PM

If the access is based on username, then using a static IP address may not be an ideal solution for the reasons you pointed out. Are these local users on the ASA? If yes, you can assign user attributes to them. The attribute of importance is the vpn-filter. Each user can have a VPN filter which essentially is an ACL containing access-list entries of what resources they can access. 

Example:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/vpn_groups.html#73582

 

 

hostname(config)#access-list acl_vpn permit tcp any 192.168.1.0 255.255.255.0 eq 23
hostname(config)# username anyuser password Abcd123! privilege 5
hostname(config)# username anyuser attributes
hostname(config-username)# vpn-filter value acl_vpn
hostname(config-username)#

 You can easily script username and ACL/ACE CRUD operations using CLI commands to help with this. 

 

VPN filter example below:

https://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/99103-pix-asa-vpn-filter.html#anc6

 

0 Helpful
Customers Also Viewed These Support Documents