Misconfigured ACS 5.5 allowing VPN users to log on to switches.
I've recently inherited an ACS 5.5 server that was upgraded from 4.1 a few weeks ago before I joined the company.
While digging through the config I noticed a lot of local users in a VPN group and while testing my credentials I found that I was able to use my VPN credentials to SSH in to my switches.
It appears that little work was done one the migration was complete. I believe that the issue resolves around the default policy being set to permit any user. Currently there are rules to all our admin group to access our APC devices and a 2nd rule for the admin group to access the switches, but because of the default permit any any VPN user can also access any of the network devices.
It's been a few years since I setup a "new" 5.x ACS server and in the past I was using AD mappings to restrict the VPN users to only the VPN, and I'm feeling a bit rusty on how to correct this.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...