03-15-2010 02:56 AM
Hi All,
Need you guys advise on this. I have multiple ASA firewalls in Asia region to provide SSL-VPN (Clientless-VPN) access to corporate network. Example, Hong Kong and Singapore.When users in Singapore travelled to HongKong, they cant use the SSL-Url hosted there because even though the login is successful, the DAP of bookmarks are not configured in HK firewalls. So these users have no choice but to SSL-VPN back to Singapore firewalls, but this is ineffiecient and slow.
My question will be as follow:
1) can i export the DAP on Singapore firewalls and Import to Hong kong firewalls? Vice-versa
2) can i export the bookmarks on Singapore firewalls and Import to Hong kong firewalls? Vice-versa
3) due to number of users, i have too many DAP configure on each firewalls to match their cisco-userid to respective bookmark. Can i use something like variable? so that 1 DAP will be sufficient. I need the DAP to be able to capture the username keyed in by user and matched that against a bookmark configured with same username
Like.
cisco.username =%uname
bookmarks=%uname
Any help will be much appreciated.Thanks
03-15-2010 11:47 AM
Hi,
We don't have an easy method to display a bookmark list based on username.
However, you can create one master bookmark list which has many different individual bookmarks each including a variable "CSCO_WEBVPN_USERNAME".
Example:
http://myserver.com/CSCO_WEBVPN_USERNAME/home/root
cifs://myftpserver.com/root/users/CSCO_WEBVPN_USERNAME/marketing etc..
When you do this, the ASA will replace the macro CSCO_WEBVPN_USERNAME with session username.
So, if user "john" logs in, they will see two bookmarks: http://myserver.com/john/home/root, cifs://myftpserver.com/root/users/john/marketing
One other alternative is to use LDAP attribute maps instead of DAP. If you have an LDAP Database or Active Directory that has all the usernames, you can use the
LDAP attribute map feature which maps a particular LDAP attribute (say cn or username) to the Cisco Attribute WebVPN-URL-List.
See an example below:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml
One caveat is that URL-List setting in DAP and LDAP attribute map are mutually exclusive. So, you shouldn't apply URL-List in DAP anymore.
Thanks,
Kiran
03-15-2010 06:55 PM
for the bookmarks, i think i cant make it simpler as well OR use the method you suggest. Because individual VPN user has a unique bookmark that allows RDP to their personal desktop machine.
What about my questions of exporting DAP and Bookmarks to import to another firewalls?
03-15-2010 07:08 PM
My apologies, ASDM has an option to backup/restore the configurations. You can find it under "Tools". When you back-up, you only select DAP and CSD policies. Everything else should be un-checked. Then, you can save it as zip file and restore it on the other ASA. If you need automatic sync-up and push of DAP, we will need to use CSM for that.
03-15-2010 07:18 PM
Hi,
thanks for that. Last question, when you mean Back up from firewall A of those DAP and CSD policies and restore it on firewall B. Can i do it during production hours and not impact on operations? So if there's a case where firewall A has a DAP policy of XX and firewall b has a policy of YY. If i backup A config and restore on B, will YY be overwritten or it will merge? end result with XX and YY
Pardon me, can you provide me the full term of these?
DAP: dynamic access polices
CSD: cisco secure desktop?
CSM: ??
03-15-2010 07:26 PM
If the DAP records have two different names, then the restore on Firewall-B will add to the existing DAPs (so XX and YY). If they are same, I am not very sure whether it will overwrite or merge. I will have to test.
CSM - Cisco Security Manager - Helps you configure multiple security devices (Firewall, router, switch, IDS, IPS, MARS etc) from one unified policy interface. Also supports checkpoint and rollover, multi-device config replication and push etc.
http://www.cisco.com/en/US/products/ps6498/index.html
DAP - Dynamic Access Policy
CSD - Cisco Secure Desktop.
03-15-2010 07:33 PM
Thanks for the clarification on these terms.
I notice that my firewall A is using CSD but firewall B is not.
will the restoring of config from A with CSD on B cause any conflict?
Correction:
I see that i can choose not to backup CSD config.. Just DAP alone.
but may i ask, Bookmarks fall into which category?
03-18-2010 01:23 AM
Bookmarks are known as "URL-Lists". They may show up under "webcontents" as well depending on the ASDM version.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide