Cisco ASA 5510 running 8.3.2
I am configuring anyconnect VPN using Dynamic Access Policies for the first time. I have configured AAA Ldap against Windows 2003 Active Directory and this is working fine.
What I would like to do is setup some granularity and create AD groups that give network access to particular devices.
EG I create an AD group "allow RDP to server", put my authorized users in that, create a DAP policy that has a network ACL configured that says:
permit from VPN pool RDP to Server.
Then I may create a AD grout "allow telnet to switch" put my users in that, create a DAP policy that has a network ACL configured that says:
permit from VPN pool Telnet to switch.
I think everything is working ok in terms of applying the correct policy to the correct user, but the problem is that all users who have VPN access always have full access to all network resources. e.g. all authenticated users can always rdp or telnet to all services down the vpn.
I think I somehow need an implicity deny, or perhaps I could create a DAP ACL deny all policy. I have tried creating a deny all DAP, with a "Deny Any Any" ACL and giving that a low priority etc but nothing seems to work.
"sysopt connection permit-vpn" is turned on. I think this is by default. Not sure if this has any relevance though.
Has anyone any ideas where I'm going wrong?