cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
684
Views
10
Helpful
9
Replies

Site to Site VPN's with external group policies

daniel.pimentel
Level 1
Level 1

Is it possible to have Ikev1 Site to Site VPN's with Cisco ASA 8.4(3) using external policies from an ACS 5.2?

I currently have many site to site VPN's with internal group policies and different set of firewalls with the same rules, so changing one st of firewalls forces me to change all the others making this a time consuming effort. so I wanted to see if all the sets could grab the same policy from the ACS as an external group policy.

 

I have done this with remote access VPN's, but never with site to site VPN's so i am not sure if this is possible.

Also if there is a guide to make this work would be awesome.

 

Thanks in advance.

9 Replies 9

abwahid
Level 4
Level 4

Hi,

Yes then check the below guide which probably will help you.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/asdm71/vpn/asdm_71_vpn_config/vpn_asdm_setup.html

Thanks a lot, I will read the document and try the configuration.

 

Quick question, we normally use a lot of object-groups in our configurations in the group-profiles.

Is it possible to use the same object-groups in the ACS? Via downloadable ACLs?

Or that is just not possible, and I will have to create individual access-list in the ACS to cover everything up? I'll go and read the document, as the answer might be in there but wanted to check in here as well

 

Thanks a lot for the help.

Daniel,

You may use this.

Object-group network ObjectGroup
       Network-object <ip-address> <subnet-mask>


On the ACS server > go to Cisco AV pairs and define the ACL like this:

ip:inacl#=permit ip any object-group ObjectGroup

You may see the same attribute coming down to ASA in "debug radius"

Hope this helps.
 

Regards,

Jatin Katyal

**Do rate helpful posts**

~Jatin

Awesome, thanks a lot.

I guess then I can use service object-groups in the same way right?

 

object-group network ObjectGroup
 network-object <ip-address> <subnet-mask>

object-group service ServiceOB
 port eq 80

And have something like

 

ip:inacl#=permit ip any object-group ObjectGroup object-group ServiceOB

The correct format should be

ip:inacl#=permit tcp any object-group network ObjectGroup object-group service ServiceOB

Please test this and report back.

 

Regards,

Jatin Katyal

** Do rate helpful posts**

 

 

 

~Jatin

Have another question I am not finding in the documentation.

I have created an Authorization Profile in ACS 5.2
I have put the Radius Class attribute with the name of the external group policy.

Some of them group policies have 10 or more ACE in it, do I need to define every single cisco-av-pair with the corresponding ACE, Ii do see an option in the Authorization profile to put a downloadable ACL, not sure if this would work the same or I have to stick with the cisco AV-Pair instead.

Thanks again for all the help.

After some testing, this does not seem to be working as I expected.

I am able to authenticate against the ACS, shortly after looks like an ACL is generated by the ACS and pushed down to the ASA. Looks like the generated ACL is the username. Then a bunch of cisco av-pairs are pushed down.

User-Name=#ACSACL#-IP-TESTVPN-ACL-53c59c48
 Class=CACS:fen-rad-01/133654809/294385
 cisco-av-pair=ip:inacl#1=permit tcp host 192.168.151.10 eq 1433 host 10.1.1.1

But first, I am not able to locate that ACL anywhere in the ASA, and I am not sure where is this being applied.

What I am really looking with the group-policy is the vpn-filter capability which I found I can control with the Filter-ID in the ACS, if I put the ACL in the ASA at the filter-id then it gets pushed down succesfully.

So my question would be, is there a way to use a Downloadable ACL in the Filter-ID field with object-groups defined locally in the ASA? Or it is simply not possible. I saw there is a Dynamic type of Filter-Id but I was not able to grab anything meaningful there for this.

Thanks in advance

I think you need this:

In order to download a name for an access list that you have already created on the security appliance from the RADIUS server when a user authenticates, configure the IETF RADIUS filter-id attribute (attribute number 11):

filter-id=acl_name

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113449-asa-vpn-acs-00.html#new

 

Regards,

Jatin Katyal

**Do rate helpful posts**

~Jatin

Thanks for the answer Jatin.

But I believe I would need the ACL already created in the ASA. I can successfully do this, but what I am really trying to accomplish is apply the filter-id not with an already created ACL in the ASA, but a Dynamic ACL maybe hosted in the ACS as a Downloadable ACL.

I tried to find documentation about the Filter-ID ACL Dynamic, but I did not find anything, so I am not sure if this is possible.

Thanks a lot.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: