We are in the process of moving off of our old IPSec concentrator and moving to our new ASA firewall/VPN hardware. I have started creating new security groups and placed the VPN users into these groups to use for the authentication piece. I have had no problem creating profiles that use the "member of" type checking for authentication as I can create specific security groups and place users in them. The only thing I have not been able to verify is that a soecific profile only uses a specific authentication profiel as I have had a user connect without being in any specific security profile so figure I have something mixed up somewere.
I do however have a couple questions regarding additional profile creation.
1) How do I create a "local" profile that I can have the users use to download and/or update the AnyConnect client? Going forward most of our users will use the SSL connection as they only access a couple applications via telnet, or SSH, so really do not need a full fledge client. This will also keep the devices off the network and therefor reduce the virus, malware, etc. exposure from the regular home PC. I will however have a select group, suce as corporate assets, that will can have the full AnyConnect client installed. My plan is to have a generic profile that can be used by the helpdesk to get the client installed with single use type password for access. The user would then use a different profile for their regular access but would not have an option to download and install the client. I am attempting to control how and when the client is downloaded or installed. This would help prevent the client being installed on a non-authorized device such as a home PC. Better or different way to do this?
2) I may already have an answer to this but wanted to see if there was a better or different way as well. We have a lot of contractor type accounts that have to have the client for remotely supporting systems and hardware. In the past we have created an AD account that everyone with that contractor shared. I know I can create a split tunnel network that gives them access to their specific systems but my question is in creating the authentication profile. Do I create a security group in addition to their AD account and continue with my standard "member of" type configuration or is there a different way I can verify security access?
3) Any thoughts on being able to limit the port / protocol a tunnel uses or would that just be over kill? I am thinking I will eventually have a tunnel or two that will be used for Remote Desktop acess to a PC or remote access to an RDS server so users can have a desktop to manage and maintain their Exchange e-mail accounts. Since we are removing most of the clinet access this means users will not be bale to have a local copy of outlook, or whatever they are using, for mail.
I currently have 2.5.3055 clinet and 844 on the controller.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...