Tunnel Policy

Carlo Zaina · ‎12-04-2009

I have an ASA 5505 8.0 for VPN RA, authenticating users locally.

Configured on it, there are 3 tunnel groups, to give access to different resources.

So far the users are able to establish successfully the tunnel, by vpn client, however they can't access the corporate resources.

Each user is assigned with a vpn-group-policy (i.e. tunnel1), and a specific ip address pool; there are no nat translation problems, according to the log.

The problem, i'm pretty sure, is on the group policies and since i plan to rewrite from scratch the VPN configuration, i would like to receive some tip about how to configure the policies: "who access what".

In other words: where and how i tell "the users belonging to this tunnel must be able to access to only this resource?"

Thank you anticipately

andrew.prince · ‎12-04-2009

There could be several reasons why remote users cannot access internal resources:-

1) IP address - the internal systems do not know how to reach the VPN IP address pool

2) You have not configured the VPN ip address pools to be part of the no-nat policy

3) You have split- tunneling issues

4) The VPN pools are overlapping with an interface on the VPN device

To allocate specific access to particular users - there are several ways:-

1) Configured a specific ACL on the inside interface to allow specific source IP (VPN user) to a specific host

2) Configure a specific group ACL - 1 per group of users applied to the VPN client on which access is allowed

3) Dynamic ACL assignment - you would need a internal RADIUS server for this, like the Cisco ACS

HTH>

Carlo Zaina · ‎12-04-2009

Each tunnel group uses a dedicated pool addres, and no overlapping is present.

The no-nat policy is simple: permit ip . No particular per-user acl are involved.

At this point, i might simply implement an ACL on the inside interface, blocking the access by specific network resources to that pool address, whereas the tunnel policies are not so strict.

Not the state of the art, in design terms, but at least effective..

Ricardo Prado Rueda · ‎12-04-2009

Hi,

Adding an access-group to the inside interface would be one way of implementing this design, however there are two more options

you can use that relate directly to the VPN Remote Access implementation:

SPLIT TUNNELING. When you add a split-tunnel rule you install specific routes for the VPN Client. Only the hosts or networks

that are reachable through these routes will be encrypted by the VPN Client, so in this way if the remote client tries to access

another part of the network he shouldn't have access to, the software won't encrypt it. The traffic won't even arrive to the ASA and you

would not need an access-group on the inside interface. More information on how to setup this on the following link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml#s2

VPN FILTER. The ASA has the option to configure an access-list filter to the tunnel itself, blocking traffic that goes through the

tunnel. You can see an example on this link:

https://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

Personally I like more the option of using Split tunneling, is much more simpler and cleaner, if you don't want the hosts to reach a

certain part of the network, just tell the client to NOT encrypt this traffic, you will use less bandwidth and resources.

Hope this helps,

Rick.

andrew.prince · ‎12-04-2009

You have plenty of options, some are nice and some a brute force. However before we get to that we need to figure out what id does not currently work!

Can you post your config for review - remove all senstive information.