Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

SSL VPN Authorization

Hi, The SSL VPN users are authenticated with ADS for connecting the SSL VPN. How to restrict the users with the access servers listed in Split tunnel. For example in Split tunnel there are 4 servers from Server-1 to Server-4

When user-1 logs in he should be able to access Server-1. He should not be able to access the other three.. The rest of users should be able to access all the servers. Pls advise.

2 REPLIES
Bronze

Re: SSL VPN Authorization

The easiest way would be to use ACS to have downloadable ACL's for each user.

Not using ACS though, you might have a tougher time. Hopefully somebody has a good way to do this. Off of the top of my head, you might be able to try creating two different Connection Profiles -- one for access to the 1 server, one for access to the other 3 servers, then associate a different Group Policy to each connection profile. This would allow you to define two ACL's that would block what you wanted.

So you would have two Connection Profiles:

--AllowServer1_Profile

--AllowServer2-4_Profile

You would also create two group policies:

--AllowServer1_GroupPolicy

--AllowServer2-4_GroupPolicy

Also need two ACL's:

access-list AllowServer1 permit ip any 1.1.1.1

access-list AllowServer1 deny ip any any

access-list AllowServer2-4 permit ip any 1.1.1.2

access-list AllowServer2-4 permit ip any 1.1.1.3

access-list Allowserver2-4 permit ip any 1.1.1.4

access-list AllowServer2-4 deny ip any any

Then you have to use the respective ACL's as filter lists on the matching group policies and connection profiles.

Like I said... off the top of my head. Hopefully someone knows an easier way.

Community Member

Re: SSL VPN Authorization

Thanks Bran, I will check for the same. Do you have any idea about Dynamic Access Policy? Will that help in this ?

140
Views
0
Helpful
2
Replies
CreatePlease to create content