I am in the process of rebuilding my ASA 5510 8.0(5) firewall configs and I am up to the point of building the remote-access VPN tunnels.
Now I am not sure if this is possible without a RADIUS or a VPN Concentrator but I figured I would try.
What I am attempting to do is use Active Directory to determine how a user connects in.
So based on the AD group the person belongs to, is what SSL VPN they can connect to.
The 3 connections are going to be:
Full VPN Tunnel
Tunnel into an OWA server
Tunnel into a Terminal Server
For some complicated reasons I am unable to put my Exchange or Terminal Server in the DMZ, so rather than having pin-holes from my External Connection directly to my Exchange and Terminal Server I figured I would just use the ASA and a VPN tunnel to connect to those services, along with the full VPN access.
So far this is as far as I have gotten (hardly anywhere):
I started to try to configure the VPN tunnels but I couldn't figure out how to determine which Policy to use based on the authentication the user uses. Hence why I am unsure whether this is even possible.
I have done something similar with SSL where I have the user log in and it sends them directly to a Terminal Server window and asks for an IP address for the server (using AAA). With this setup is there a way to directly send them to the Terminal Server wihtout them having to put in the IP address?
Also is it possible if they belong to both the TS and OWA group that they are prompted for which they want to connect to (either the TS or OWA)?
I will keep playing with this to see if I can figure out what needs to be done. If I find a solution I will post it, but any assistance with this would be greatly appreciated.
I was able to verify that it is working by using different Banners in the Group Policies:
group-policy SSLAccessPlc internal group-policy SSLAccessPlc attributes banner value SSL VPN Access Policy group-policy TSAccessPlc internal group-policy TSAccessPlc attributes banner value Terminal Server Access Policy group-policy OWAAccessPlc internal group-policy OWAAccessPlc attributes banner value Outlook Web Access Policy tunnel-group DefaultWEBVPNGroup general-attributes authentication-server-group LDAP_SRV_GRP
I only have a couple of questions left before this becomes functional:
1. How do I make it to where if a user is not part of any of the 3 AD groups they are denied access?
Right now if they are not part of any of the 3 AD groups they are assigned to the SSLAccessPlc
2. How would I go about auto forwarding users that are using the OWAAccessPlc directly to my Outlook Web Access?
So when a user signs onto the Clientless SSL and they are part of the OWAAccessPlc it forwards them directly to the OWA web address using the tunnel.
3. How do I setup the single sign-on?
When a user signs onto the SSL VPN since they are already using AD credentials, how do I forward those credentials onto either OWA or the Terminal Server?
4. How do I setup a link on the Portal to a Terminal Server and have it include the Terminal Server address?
I have been able to setup a link to the Terminal Server in the past, but the users still needed to enter in the IP address of the Terminal Server once they clicked the link. I would like to automate this to where the users don't have to remember anything but the username and password.
I will keep working on this through out today, and hopefully I can answer some of my own questions. I will continue to post my findings until I am able to get everything working.
I apologize if this becomes annoying, but I just figured out question #1.
Bascially what I had to do was create another AD group called Remote Access Grp, then I created a DAP rule that says that if the user is not part of Remote Access Grp then terminate the connection. So when a user requests access to the VPN I would have to first assign them to the Remote Access Grp, and then assign them to either the OWA, TS, or VPN groups to limit their access.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :