Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
392
Views
5
Helpful
4
Replies

web access on vpn

suthomas1
Level 6
Level 6

‎09-20-2010 08:38 PM - edited ‎03-11-2019 11:42 AM

Any possible method to permit only one of many vpn groups to access internet when connected to ssl vpn.

and is it possible to permit only few internet web sites, with specific ip address , to be allowed for particular vpn group.

thanks in advance.

Labels:
0 Helpful
4 Replies 4

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎09-20-2010 10:03 PM

If you're referring to the ASA (as the firewall terminating the VPN) then...

You can have a single group with a split-tunneling policy where you tunnel all traffic and provide Internet to this specific group.

If you have the IP addresses of the websites, you can create ACL to permit only access to those sites.

Other method will be to use the MPF to permit certain websites only.

Federico.

suthomas1
Level 6
Level 6
In response to Federico Coto Fajardo

‎09-20-2010 10:11 PM

apologies, it is an ASA 5540.

precisely, thats what is being asked for by our business. a certain group has to have internet while connected to vpn for only this one specific internet website.

please elaborate a little on how this can be achieved.

thanks

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to suthomas1

‎09-20-2010 10:25 PM

i.e

You know how you can have multiple VPN groups (IPsec or SSL), each one has its own tunnel-group configuration.

Then, you can call a different group-policy for each tunnel-group that you have configured.

So, a particular tunnel-group that needs to have split-tunneling, could have a configuration like:

group-policy vpnclient internal
group-policy vpnclient attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value 102

Where ACL 102 dictates the traffic to be encrypted.

If ACL 102 is something like:

access-list 102 permit ip any 10.1.1.0 255.255.255.0

where 10.1.1.0/24 is the VPN pool of addresses, you're effectively sending all traffic through the tunnel.

Then, if you configure regular NAT:

nat (outside) 1 10.1.1.0 255.255.255.0

global (outside) 1 interface

same-security-traffic permit intra-interface

The above configuration will send all traffic through the tunnel and will be NATed and routed out to the Internet by the ASA out the same outside interface.

To restrict outbound traffic, you could apply an ACL in the outbound direction on the outside interface allowing only the IPs for the websites you need.

Hope it helps.

Federico.

suthomas1
Level 6
Level 6
In response to Federico Coto Fajardo

‎09-21-2010 02:02 AM

used this configuration to try over.but had few thoughts on this:

Is acl 102 ip pool for this set of users ? this acl didnt show any hits on it when internet was tested.

removing of split-tunnel-policy tunnelspecified
split-tunnel-network-list value 102 ,

these two lines from current group-policy doesnt stop user groups to browse, browsing stops only after same interface security is removed.

i was thinking on how control would work if applied over selected multiple groups , since same-interface is a global command.

to try out, i used acl on nat statements to define user pool and destination ip & it did work fine. after i remove the nat acl it stops working.

which is a good control looking for.

Appreciate all advises in advance.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card