×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco AnyConnect Secure Mobility Client

Unanswered Question
Nov 10th, 2013
User Badges:

I have a Cisco ASA 5525-X.


Behind the firewall I have six seperate networks, with interface 0 connected to the Internet.

Cisco Anyconnect clients can connect from the Internet without any problems.

What I want to do is restrict users/groups to specific networks.

For instance -group1 can only connect to network1 after authentication.

The problem I have is that users that are NOT part of the tunnelgroup are still authenticated and get access to a network they shouldn't have access to.


In short I want six groups for six networks but can't seem to make this work.

The reason for this is that these networks are six distinct networks with one Internet feed.


I would be most gratefull if somebody can point me in the right direction.


thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jouni Forss Sun, 11/10/2013 - 12:30
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I am not sure how you have configured the current VPN Client setup.


Do you have "tunnel-group" for each of these 6 networks?


I guess in that case you have a "group-policy" for each "tunnel-group" that either restricts the traffic through Split Tunnel setting or with the use of VPN Filter ACL (or both)?


And if you have "username" configured for all the users on the ASA itself then you could naturally use the "username attributes" configuration to move to the correct configuration mode and then use the "group-lock" parameter/command to lock the "username" in question only to a certain "tunnel-group".


You also have to ability to set that users "vpn-group-policy" under the "username attributes" if you wish it to use something else than the one configured under "group-policy" that the "tunnel-group" uses.


- Jouni

peterv Mon, 11/11/2013 - 08:58
User Badges:

Hi Jouni


Life is simple when you know how.


Thanks for the quick response, works a treat.


I have used the "group-lock" command to lock users to a particular network, that's just what I wanted.


I do have one other question however not a showstopper. I have multiple vpn profiles so user can select the one to use. I would like if at all possible to not have the dropdown list but assign the correct profile to the user name.

When I de-select the option"Allow users to select connection profile" it uses the "DefaultWebVPNGroup". The dropdown box with the vpn selections is now gone but my vpn logon now also fails.


I have tried several settings in the users properties but so far, no joy.


Peter

Jouni Forss Mon, 11/11/2013 - 10:09
User Badges:
  • Super Bronze, 10000 points or more

Hi,


I got to admit that I am a bit rusty on the VPN Client side.


In some of our environments we utilize the default RA (Remote Access) "tunnel-group" only and use a separate AAA server to return the correct group for the user based on their login information.


Now if we had to do this with just the ASA then I am not 100% sure how to set it up. I wonder if the solution would then be to remove all the non default "tunnel-group" configurations related to the type of VPN you are using and simply using the default "tunnel-group" and assigning "username" different "group-policy" based on their need?


In other words using only the default "tunnel-group" there would be nothing to choose from in the drop down menu but the "group-policy" attached to the "username" would define to which networks traffic would be tunneled and so on.


I guess this would still require you to configure an "address-pool" under the default "tunnel-group" or you would have to define each users IP address under the "username attributes".


To view the default "tunnel-group" and "group-policy" configurations on the CLI of the ASA you would have to use this command


show run all tunnel-group


show run all group-policy


Do take note that these commands print out a lot more information/configurations than the usual "show run" variation. This is because the command also shows the default settings which arent otherwise visible in the "show run" output.


Would really need to test this myself to be able to give you an 100% sure answer.


- Jouni

Actions

This Discussion