09-23-2008 04:02 AM - edited 03-10-2019 04:06 PM
Hi there
I am trying to implement the following scenario and would like to know the best solution for me,
We have 2 groups of Remote VPN users 1) support 2)Operations both using Cisco client vpn to log in remotely to our site
1)When members of the support group VPN in, I want our Cisco ASA to give them an IP range from Pool A of Ip addresses and I want them to be authenticated using TACACS and then after successful authentication they are redirected to or only have access to Server A
2)When members of the Operations group VPN in, I want our Cisco ASA to give them an IP range from Pool B of Ip addresses I want them to be authenticated using TACACS and then after successful authentication they are redirected to Server A AND have full access to Servers B,C,D etc
Is this possible? and if so how?
Regards
09-23-2008 08:36 AM
Hi,
Yes this can be done.
This doc will be helpful in configuring the ASA for VPN:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/ike.html
On the ACS you create a 2 user groups and link them to their appropriate LDAP/Active Directory groups. Create a downloadable IP ACL on the ACS to DENY SUPPORT group access to servers B,C and D and then the OPERATIONS group will have access to all servers WITHOUT an IP ACL.
Here is a link to downloadable ACL's.
I'm making the assumption that you somewhat understand these features and configurations of these devices. I can elaborate more if needed later on. There are a couple of ways to make your scenario work but this is the first one that comes to mind.
Radius could be used to lock users into their appropriate groups as well.
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800946a2.shtml
I think its the same for an ASA as for the 3000 concentrator.
HTH
Craig
09-23-2008 11:19 AM
I have a different philosophy and I call it:
Keep It Simple Stupid (KISS).
I would do the following:
Place your ASA VPN device behind a both outside
and interface behind the firewall,
Setup VPN with two groups, VPN and NetOps,
and use Radius to lock users into appropriate
groups. VPN will get ip pool VPN_pool and
NetOps will get VPN_NetOps.
Create rule on the firewall to allow
appropriate to access resources based on IP
pool.
This way it is much simpler than setting up
download ACL.
Most enterprises setup VPN this way. They
separate the functions of VPN and firewall
into different devices.
my 2c
09-24-2008 12:33 AM
guys
thanks for your input. The thing with ACS is i doubt we will be willing to spend the thousands on it. The 2nd solution seems more within budget (FREE) so i will test and see i post my findings back here
Thanks once again for your advice
09-29-2008 06:24 AM
hi guys
Ive set up the following 2nd vpn to allow a support user Remote Access to only one server. The VPN connects ok and assigns the right VPN but when I try to RDP from the support laptop to the server nothing happens. The access lists arent getting hit so Im lost as to why not. Ive also added a static route on the server back to the Remote pool using a different Gateway (as this is in a test environment at present). Any ideas?
IP POOL for Remote user
ip local pool RA_VPN_SUPPORT 192.168.10.11 mask 255.255.255.255
NO NAT
access-list NONAT permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
For Split Tunnel -
access-list ACL_RA_VPN permit ip 192.168.1.0 255.255.255.0 192.168.10.0 255.255.255.0
ACL for RDP to server
access-list ACL_VPN_SUPPORT permit tcp host 192.168.10.11 host 192.168.1.17 eq 3389
access-list ACL_VPN_SUPPORT permit ip host 192.168.10.11 any
CRYPTO MAPS
crypto ipsec transform-set RA_VPN_SET esp-3des esp-sha-hmac
crypto dynamic-map DYN_MAP 4 set transform-set RA_VPN_SET
ISAKMP
isakmp key ******** address 0.0.0.0 netmask 0.0.0.0
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash md5
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
VPNGROUP
vpngroup RA_VPN_SUPPORT address-pool RA_VPN_SUPPORT
vpngroup RA_VPN_SUPPORT dns-server 192.168.1.19
vpngroup RA_VPN_SUPPORT default-domain test.com
vpngroup RA_VPN_SUPPORT split-tunnel ACL_VPN_SUPPORT
vpngroup RA_VPN_SUPPORT idle-time 1800
vpngroup RA_VPN_SUPPORT password ********
Regards
09-29-2008 07:57 AM
Greetings Soplandor,
This is possible, through ipsec conncection profiles. Within the ipsec connection profile realm you can set the IKE-Peer authentication to Pre-shared Key or Certificate based. Here you would choose also the user auth type which would be Tacacs in this case. You can also assign a separate dhcp pool for each group based on the membership of the vpn user. You can assign group policies to show a different login banner to each group and apply different filters that allow access to only the resources you want each group to have.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide