Solved: truly dynamic VPN, is it possible ?

jraatikainen · ‎08-29-2013

Consider situation, where you have "central" ASA hosting multiple l2l IPSec tunnels.

Outside Users uses Anyconnect to connect ASA and are granted routing profile they choose.

Is there *any way* to use single AnyConnect group, which would dynamically set needed VPN access list based example ldap group info.

Small example :

l2l tunnel A has tunnel-specific and uses Anyconnect group A, only users on ldap goup XYA are allowed

l2l tunnel B has tunnel-specific and uses Anyconnect group B, only users on ldap goup XYB are allowed

if end user has right to connect group A and B (belongs to groups XYA and XYB) , can this be dynamically managed ?

Real world case holds hundreds of split-tunnels, this is just simple example and question, if this is possible or not ?

-jra

Herbert Baerten · ‎09-07-2013

Hi Jari

I'm not entirely sure I understand correctly what you want to achieve but I think you should be able to do so using a single group, and a set of DAP rules.

I.e. one rule that says "if user is member of XYA then apply acl A", another rule "if user is member of XYB then apply acl B" etc.

see

hth

Herbert

View solution in original post

Herbert Baerten · ‎09-07-2013

Hi Jari

I'm not entirely sure I understand correctly what you want to achieve but I think you should be able to do so using a single group, and a set of DAP rules.

I.e. one rule that says "if user is member of XYA then apply acl A", another rule "if user is member of XYB then apply acl B" etc.

see

hth

Herbert

View solution in original post

jraatikainen · ‎11-06-2014

This works quite smooth.

My problems was to understand the fact, taht I must route all available networks to tunnel and then DAP makes ACL, where one can go.

I assume this is simple thing on force tunnel, but as I prefer split-tunnel, this was pain for me to understand.

Anyway, all good, everythings works likes a charm, case closed.