I have a client that wishes to configure multiple groups for SSL VPN access. They would like for instance to have 2 groups:
They then want to disable split-tunneling for all groups, and for each group have a different ACL applied to filter traffic. For example they want users in the vendeor group to only have access to a DNS server for DNS and then RDP to a Windows server. All of this they want authenticated by AD through ACS. Is the way to accomplish this through NAC, or is there another way?
OK, let me clarify... I have everything, including the filters, working except for tying a user to a specific group. I just don't know how to tie a user to a specific tunnel group, when that user is being authenticated via ACS. How do I do that?
The end goal is to make sure that a user cannot use a group other than what what we want. Ie. a vendor can't use the user group to bypass ACL restrictions. Is this done with "group lock"?
Its been a while since I set this up but I believe thats all you have to do. The group-lock feature is to tie a group policy to a tunnel group which we do also. We want the VPN connections to be very predictable.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...