Anyconnect VPN client - Users

Unanswered Question

Is there a way to have specific user ID's access defined servers via the Anyconnect client version 2.5.0217 to an ASA5510? The idea is to limit outside contractors to only the resources they need. This was possible with the IPSEC client with different profiles but so far I don't see how to do this with this new client. Any help would be greatly appreciated.


TJ

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Marcin Latosiewicz Thu, 09/16/2010 - 00:43
User Badges:
  • Cisco Employee,

TJ,


Which mechanism did you rely on for IPsec?


Downloadable ACLs and split tunneling based on attributes should still be an option ...


Also cut through proxy should work.


Marcin


edit: Added mention about CTP.

When using IPSEC we had multiple profiles defined for special purpose users and needs. The profile included a network list that defined what servers that those users had access to. The IPSEC client has the capability to enter a group and password. The group defined at the client would then translate to the profile at the ASA. I hope this helped.


TJ

Marcin Latosiewicz Thu, 09/16/2010 - 04:27
User Badges:
  • Cisco Employee,

Thomas,


Depending on your config, anyconnect users also land on group-policy and tunnel-group.


You can check out which one are those by doing "show vpn-sessiondb det svc"


Please note that by default those might be DefaultRAgroup and default group policy.


Once you know which group policy you're using you can for exampl do vpn-filter (that does not apply to clientless):

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1630190


Again too many possibilities to be taken into account, I would suggest looking into downloadble ACLs as a possible solution or running VPN clients against CTP ;-)


Marcin

Actions

This Discussion

Related Content