Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
537
Views
0
Helpful
2
Replies

Create an ACL for a particual WebVPN / group policy

Kenny Coleman
Level 1
Level 1

‎11-02-2009 12:38 PM

We have multiple WebVPN login pages on our ASA5510. We have recently created a new connection for an outside company to access 1 resource via the WebVPN.

I have looked around on ASDM and found the Web ACLs feature, but can't seem to figure out how to get it to work.

I want to restrict http://mywebvpn/OutsideCompany to a specific set of IP addresses. All other IP addresses should not be able to access this page.

In addition to doing this, we want to try and figure out a way to disable the default login page http://mywebvpn and make users type in http://mywebvpn/employee, any suggestions?

any help is appreciated.

Labels:
0 Helpful
2 Replies 2

hdashnau
Cisco Employee
Cisco Employee

‎11-02-2009 01:37 PM

If a group-url is not specified (ie group-url https://mywebvpn/ enable) the users will fall back to the DefaultWEBVPNGroup when accessing the page at https://mywebvpn. There are various different ways you can handle users that fall back to the DefaultWEBVPNGroup. Some things that come to mind (most happen during or after authentication):

-You can play around with the customization thats applied to the DefaultWEBVPNGroup to adjust how the login page actually looks and to provide instructions to the user which indicate how to use the webvpn to your company.

-Restricting by IP might be more complicated than just restricting by username. If your outside contractors belong to a certain group in AD you can easily setup and ldap mapping to force them to use certain settings (for example force them into a group policy that locks them to the tunnel group youve called OutsideCompany). You can also use the parameters sent back from authentication to restrict the connection so theyre not able to actually log in (you can use ldap mappings, radius ietf groups, group-lock features on the asa, etc). See the following document for more information about mappings:

https://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

-You can configure a Dynamic Access Policy alone or in addition to your authentication so that a user message is be displayed for users who hit this group or you can use the DAP to restrict access to the content they see. For more info about DAP see:

http://www.cisco.com/en/US/products/ps6120/products_white_paper09186a00809fcf38.shtml

-You could set a group-url of https://mywebvpn on some other tunnel-group and restrict access for that group

There is an enhancement request open to create a way to disable the fall back to the DefaultWEBVPNGroup in the event that you only want users to connect via the group-url and not fall back to the DefaultWEBVPNGroup if no url is entered (see CSCsv54922)

0 Helpful

Kenny Coleman
Level 1
Level 1
In response to hdashnau

‎11-03-2009 10:52 AM

thanks for the response hdashnau.

The main reason we want to restrict by IP is because we have a contract that says they are only allowed to connect to our systems from their brick and mortar building. We wanted to figure out a way that would only allow access from their set of IPs. If there is a connection to the appliance outside of the specified IP range for that WebVPN tunnel, we want to be notified to take security measures into place.

0 Helpful
Customers Also Viewed These Support Documents