web access on vpn

Unanswered Question
Sep 20th, 2010

Any possible method to permit only one of many vpn groups to access internet when connected to ssl vpn.

and is it possible to permit only few internet web sites, with specific ip address , to be allowed for particular vpn group.

thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.5 (2 ratings)
Loading.
Federico Coto F... Mon, 09/20/2010 - 22:03

If you're referring to the ASA (as the firewall terminating the VPN) then...

You can have a single group with a split-tunneling policy where you tunnel all traffic and provide Internet to this specific group.

If you have the IP addresses of the websites, you can create ACL to permit only access to those sites.

Other method will be to use the MPF to permit certain websites only.

Federico.

suthomas1 Mon, 09/20/2010 - 22:11

apologies, it is an ASA 5540.

precisely, thats what is being asked for by our business. a certain group has to have internet while connected to vpn for only this one specific internet website.

please elaborate a little on how this can be achieved.

thanks

Federico Coto F... Mon, 09/20/2010 - 22:25

i.e

You know how you can have multiple VPN groups (IPsec or SSL), each one has its own tunnel-group configuration.

Then, you can call a different group-policy for each tunnel-group that you have configured.

So, a particular tunnel-group that needs to have split-tunneling, could have a configuration like:

group-policy vpnclient internal
group-policy vpnclient attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 102

Where ACL 102 dictates the traffic to be encrypted.

If ACL 102 is something like:

access-list 102 permit ip any 10.1.1.0 255.255.255.0

where 10.1.1.0/24 is the VPN pool of addresses, you're effectively sending all traffic through the tunnel.

Then, if you configure regular NAT:

nat (outside) 1 10.1.1.0 255.255.255.0

global (outside) 1 interface

same-security-traffic permit intra-interface

The above configuration will send all traffic through the tunnel and will be NATed and routed out to the Internet by the ASA out the same outside interface.

To restrict outbound traffic, you could apply an ACL in the outbound direction on the outside interface allowing only the IPs for the websites you need.

Hope it helps.

Federico.

suthomas1 Tue, 09/21/2010 - 02:02

used this configuration to try over.but had few thoughts on this:

Is acl 102 ip pool for this set of users ? this acl didnt show any hits on it when internet was tested.

removing of split-tunnel-policy tunnelspecified
split-tunnel-network-list value 102 ,

these two lines from current group-policy doesnt stop user groups to browse, browsing stops only after same interface security is removed.

i was thinking on how control would work if applied over selected multiple groups , since same-interface is a global command.

to try out, i used acl on nat statements to define user pool and destination ip & it did work fine. after i remove the nat acl it stops working.

which is a good control looking for.

Appreciate all advises in advance.

Actions

This Discussion