Controlling VPN access

Unanswered Question
Jun 11th, 2008

Hi Guys,

We have a Cisco ASA 5510 and ACS 4.1 configured and the users can VPN into ASA and are authenticated by the ACS which is mapped to Active Directory and all works well.

I now need to know how to configure VPN access to allow certain groups to have access only to certain IPs or IP ranges.

Please any help or links appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (4 ratings)
Loading.
dominic.bilodea... Wed, 06/11/2008 - 12:01

Use the command "vpn-filter value YOUR-ACL-NAME" under your group-policy.

Then create the Access-list with the ip/ports you want them to access.

For example:

group-policy TEST internal

group-policy TEST attributes

dns-server value 10.1.1.60

vpn-tunnel-protocol svc

split-tunnel-policy tunnelspecified

split-tunnel-network-list value TEST_splitTunnelAcl

default-domain value TEST.com

vpn-filter value TEST_ACL

access-list TEST-ACL extended permit ip 10.1.1.0 255.255.255.0 10.1.3.3 255.255.255.255

This will allow access to any TCP ou UDP ports on host 10.1.3.3

marty.finn Wed, 06/11/2008 - 14:11

Thank You.

I was able to set access through different tunnel groups on the ASA. This will require different configs in the Cisco VPN client.

Is there a way to have a single tunnel group and then somehow set ACL that are tied to different groups in Active Directory? That way all Cisco VPN clients are configured the same way but based on AD group would define access control?

dominic.bilodea... Wed, 06/11/2008 - 17:31

Yes it's possible.

I am using one tunnel-group and many group-policy that matches some Windows Group in AD. So all I have to do is assign a particular windows user to a group to give him/her VPN access.

First: Specify a ldap-attribute-map under your aaa-server section. Also, you will need a user account with at least domain user rights in your domain (in my example the user is VPN-LDAP-User)

aaa-server VPN_AUTHOR protocol ldap

aaa-server VPN_AUTHOR (inside) host YOUR-LDAP-SERVER-IP

ldap-base-dn DC=your_domain,DC=com

ldap-scope subtree

ldap-naming-attribute sAMAccountName

ldap-login-password (VPN-LDAP-User's password in AD)

ldap-login-dn CN=VPN-LDAP-User,CN=Users,DC=your_domain,DC=com server-type microsoft

ldap-attribute-map Map_Groups_VPN

Secondly: Map The AD group to a group Policy on your Pix/ASA

ldap attribute-map Map_Groups_VPN

map-name memberOf cVPN3000-IETF-Radius-Class

map-value memberOf CN=VPNGroupA,OU=VPN_Acces,OU=SECURITY,DC=your_domain,DC=com GroupA

map-value memberOf CN=VPNGroupB,OU=VPN_Acces,OU=SECURITY,DC=your_domain,DC=com GroupB

In the above example,if user john is member of Windows Group "VPNGroupA", he will be mapped to group-policy GroupA on ASA.

Then you create the GroupA policy similar to this:

group-policy GroupA internal

group-policy GroupA attributes

dns-server value 192.168.0.11 192.168.0.6

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

default-domain value your_domain.com

address-pools value Pool_Groupa

Please rate if this helps. It's hard to find good how-to for this so I'm glad to give you the detailed steps.

NB: Use "Debug ldap 255" to see how your LDAP query and mapping goes and seek for errors."

Also, make sure you have no spaces in your OU name under AD, because the ASA will not accept your map-value command (I had to figure it out after 2 hours of troubleshooting because I used "VPN Access" originallly)

marty.finn Sun, 06/15/2008 - 08:41

Thank you very much for the instructions. I am a complete CLI newbie but I see if I am going to be doing any advanced config or getting help from the forums I am going to have to learn.

So while I am not exactly sure how to implement this yet I am going to go through slowly and figure it out.

Thanks again.

pemasirid Sat, 10/24/2009 - 13:44

hi,

I would appreciate to receive some configuration steps on ACS to fulfill the following requirement and hope you can help me.

ACS Groups

Netadmin - need telnet/ssh/vpn/wireless

wireless - only wireless authentication

vpn - only vpn authenticaiton

I need to map the above ACS groups to one/or many AD groups and restric access as stated.

Also please note that one user can be belongs to all three groups in ACS/AD.

thanks in advance.

jerry.ely Sat, 11/07/2009 - 12:18

I have been looking for some time to find exactly these instructions. They worked for me the very first time!

Actions

This Discussion