VPN for 1 Server for Software vendor

jgarcia44 · ‎06-24-2008

Hello - n00b here, sorry if my wording isn't correct.

I want to give VPN access to a software vendor. But I do not want them to have unrestricted access to other resources on my network. Is there a way, from within the ASDM GUI (I will be using that rather than CLI due to my inexperience) on a Cisco ASA 5520, that I can accomplish this task?

Thank you for your assistance, any help is appreciated.

Joey

JORGE RODRIGUEZ · ‎06-24-2008

Joey,

If I understand correctly your post, you want to allow access to a vendor through your currecnt RA VPN in your firewall, and at the same time you do not want them to have unrestricted access to your local LAN, just to be sure of your question, this means you want them to have full access currect.

If this is what I understand I would not recommend to have the VENDOR have full access but rather restrict access to only specific resources in your LAN or DMZ network.

I would in this scenarion create a second VPN tunnel group for this particular vendor where you can actually through access-list grant access to specific LAN resources without touching your primary VPN tunnel that your company regular users use for VPN. By creating a second tunnel group you will have more control of the vendor traffic into your LAN resources.

You can create a second tunnel through ASDM, create a new one with unique tunnel group name as well as create new VPN pool address for this new tunnel.You may also have the VENDOR authenticate through just the tunnel group secret-key without the need to create user name if using local-user-database in ASA.

If you need fruther assistance let us know.

HTH

-Jorge

Pls rate posts that are helpfull

Jorge Rodriguez

jgarcia44 · ‎06-24-2008

Your second comment is correct. I DO NOT want the vendor to have full access to all LAN resources. What if I have multiple vendors from different companies that need access to different systems? For example: I would like Springbrook support to access our Springbrook Server and I would also want Synergy support to have access to just the Synergy Server. It's seems as if I will have to create multiple VPN pools and/or tunnel groups, yes? Thank you,

Joey

JORGE RODRIGUEZ · ‎06-24-2008

Yes, if you have 5 vendors I would treat them as such with individual tunnel groups and specific access.

Now if you have much more than 5 vendor I would consider look into other alternative such as DMZ network and isolate the servers in a DMZ zone, do a LAN-2-LAN VPN and permit the vendor source IP and specticic PORTS to access the DMZ servers.

Rgds

-Jorge

Jorge Rodriguez

jgarcia44 · ‎06-24-2008

Thank you for your time. I will create the different tunnel groups for each vendor. Are you a Cisco Tech with TAC? I might have to open a TAC case to have someone show me through the process once.

Joey

JORGE RODRIGUEZ · ‎06-24-2008

Joey,

I am not with Cisco TAC but do spend lots of time reading and participating in netpro threads. You are welcome to open a TAC case with Cisco.

Here is a link that provides with most common configutations on ASA firewalls on different scenarios in todays networks.

Scroll down to the Remote Access VPN section.

http://www.cisco.com/en/US/products/ps6120/prod_configuration_examples_list.html

Here is a spcific link from above link for RA VPN configuration, the key here is to crearte a new tunnel group name, if using ASDM it will ask you questions such as create unique local ip pool for the tunnel being created.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

Rgds

-Jorge

PLS rate any helpfull post

Jorge Rodriguez

Farrukh Haroon · ‎06-25-2008

Another much easier approach would be to create a per-user vpn-filter and give each contractor a separate username. Have a look at this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Regards

Farrukh

JORGE RODRIGUEZ · ‎06-25-2008

Joey,

I like the vpn-filer per username in RA access scenario posted link by Farrukh , indeed a much easier aproache which will allow you to simply stick with one RA tunnel group, read the complete link it is a great doc.

Rgds

Jorge

Jorge Rodriguez

jgarcia44 · ‎06-25-2008

the information looks good, however, since i am not well-versed in CLI i am having a hard time translating all that information. i would want to perform the task in ASDM. the GUI is a little more user-friendly for me. if i could get the same configuration info, but showed to me in ASDM terms (screenshots) that would be great!

Joey

Farrukh Haroon · ‎06-25-2008

Have a look at this (it is a complete ASDM example):

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080641a52.shtml

First you have to define an ACL as described here:

http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/selected_procedures/asdm_grp.html#wp1168992

Then you can apply it on the individual users 'Filter' option:

Please rate helpful posts.

Regards

Farrukh