Allowing a VPN user access to only certain networks

Unanswered Question
Nov 12th, 2008
User Badges:

I have been given a request by a client to create a profile for a VPN client. The requirements for this VPN client will be that they can access only one of our Production VLAN's within our network, and be blocked from the rest.

Our network design is as follows: VPN clients connect to our ASA appliance using Cisco VPN client. The ASA is then configured to use TACACS+ and send the authentication requests for VPN users to our Cisco ACS server. The ACS server is then configured to query Active Directory for the user. If the provided user credentials are correct, and match Active Directory, then TACACS+ allows the connections.

I think I can configure the scenario as follows:

I will have to create a user in Active Directory for the specific account. Then somewhere on the ASA (perhaps in dynamic Access rules?) i will create a rule or profile that allows the user to see our VLAN 6 but no others.

I would appreciate any input or instruction with respect to this.

Thank You in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vincent-n Wed, 11/12/2008 - 20:14
User Badges:

Sorry if I sound like I hijacked the post. I've read the document. Just wanted to know what to do if you wanted to terminate different client groups on the same infrastructure? I'm thinking that the vpn-filter would work assuming that you have only one VPN group. Can you:

- create different ip pools for different VPN groups?

- create and apply different vpn-filters to different VPN group?

I've done something similar to what Kevin described in my network but using a MS RADIUS server instead.

Kevin, if you're interested please let me know

husycisco Thu, 11/13/2008 - 02:36
User Badges:
  • Gold, 750 points or more

Vpn-filter can be applied to many groups, not limited to only one group. I suggested vpn filter that asker mentioned "create a profile for vpn client". A differnet tunnel-group and group policy for that specific client (a new profile) and a vpn filter that denies that specific vlan subnet, while other VPN clients access without restriction by using their profile.

Actually, If you have one group, and dont want to create a new group, now MSRADIUS is the solution. You can use downloadable acls. Takes more time for configuring RADIUS

Kevin Melton Mon, 11/17/2008 - 19:41
User Badges:

This is what I have configured so far

in ASDM:

Configuration>Remote Access VPN>Network Access>Group Policies: created a Group Policy for the New user company.

Configuration>Remote Access VPN> Network Access>Address Assignment>Address Pools:

created a 2nd address pool that will be specific for this client only

Configuration>Remote Access VPN> Network Access>Dynamic Access Policies: created a Dynamic Access Policy for this user that matches on AAA attributes "cisco.username" + "cisco.ipaddress". Created a Network ACL Filter that matches source address to the 2nd IP pool address to the allowed VLAN address.

So far when I select "Test Dynamic Access Policies" button, and then select any of the attributes including "Group Policy", "assigned IP Address", "Username" with AAA attribute type "Cisco" selected, it comes back with the result "continue"...

srue Mon, 11/17/2008 - 19:51
User Badges:
  • Blue, 1500 points or more

i recommend using LDAP authentication and LDAP mapping in this case. you can use just one tunnel group, and then do attribute mapping with LDAP.

for example, on the ASA, you can say:

if the authenticated user resides in this Active directory OU, or is a memmber of this group, then apply this group-policy.

within the group-policy, apply your vpn-filter.

....all this using just one tunnel-group.

Kevin Melton Tue, 11/18/2008 - 12:22
User Badges:

At this point, I have a working configuration with respect to the fact that I can authenticate the VPN client with the new username and password. I establish the tunnel. But for some reason, the client is NOT restricted to the one VLAN that I wrote the ACL for.

I am not sure why this is happening. There are not hits on my ACL.

I have the ACL associated with a dynamic access policy. Should I have it configured in another place?

srue Wed, 11/19/2008 - 07:55
User Badges:
  • Blue, 1500 points or more

post your vpn config..

verify your test user is being assigned the right group-policy.

Kevin Melton Wed, 11/19/2008 - 14:05
User Badges:

It is definitely getting the correct policy because it assigns as IP address from the correct pool.

Here is the config:

access-list Allerton extended permit ip host VLAN6

access-list Allerton extended permit ip host VLAN6

ip local pool allertonpool mask

dynamic-access-policy-record DfltAccessPolicy

dynamic-access-policy-record Allerton

description "Allow Allerton User access to VLAN 6 only"

network-acl Allerton

group-policy DfltGrpPolicy attributes

wins-server value

dns-server value

vpn-tunnel-protocol IPSec webvpn

default-domain value

nac-settings value DfltGrpPolicy-nac-framework-create


svc keepalive none

svc dpd-interval client none

svc dpd-interval gateway none

customization value DfltCustomization

group-policy GroupPolicy1 internal

group-policy vpn3000 internal

group-policy vpn3000 attributes

dns-server value

default-domain value

group-policy bhivpn internal

group-policy bhivpn attributes

dns-server value

vpn-tunnel-protocol IPSec

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split-tunnel

default-domain value

group-policy Allerton internal

group-policy Allerton attributes

address-pools value allertonpool

username scot password 0M2vA8UILCS3d1da encrypted privilege 15

username lori password Yr/gR83NybANK3/d encrypted

username lori attributes

service-type remote-access

username mike password Wsj.4X2eWmD2US.x encrypted privilege 15

username michael password hwK5CLnjFad6pOit encrypted

username michael attributes

service-type remote-access

username Allerton password zuCL/.ny007Tpc/h encrypted

username Allerton attributes

service-type remote-access

username kevin password XmTFZixn8OcGdJ2G encrypted privilege 15

tunnel-group DefaultRAGroup general-attributes

authentication-server-group (outside) vpn

default-group-policy GroupPolicy1

tunnel-group bhivpn type remote-access

tunnel-group bhivpn general-attributes

address-pool ippool

authentication-server-group vpn LOCAL

default-group-policy bhivpn

tunnel-group bhivpn ipsec-attributes

pre-shared-key *

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

tunnel-group remote type remote-access

tunnel-group remote general-attributes

address-pool ippool

authentication-server-group vpn

accounting-server-group vpn

default-group-policy bhivpn

tunnel-group remote ipsec-attributes

pre-shared-key *

tunnel-group type ipsec-l2l

tunnel-group ipsec-attributes

pre-shared-key *

tunnel-group Allerton type remote-access

tunnel-group Allerton general-attributes

address-pool allertonpool

authentication-server-group vpn LOCAL

default-group-policy Allerton

tunnel-group Allerton ipsec-attributes

pre-shared-key *


This Discussion