09-15-2010 05:51 PM - edited 02-21-2020 04:50 PM
Is there a way to have specific user ID's access defined servers via the Anyconnect client version 2.5.0217 to an ASA5510? The idea is to limit outside contractors to only the resources they need. This was possible with the IPSEC client with different profiles but so far I don't see how to do this with this new client. Any help would be greatly appreciated.
TJ
09-16-2010 12:43 AM
TJ,
Which mechanism did you rely on for IPsec?
Downloadable ACLs and split tunneling based on attributes should still be an option ...
Also cut through proxy should work.
Marcin
edit: Added mention about CTP.
09-16-2010 04:09 AM
When using IPSEC we had multiple profiles defined for special purpose users and needs. The profile included a network list that defined what servers that those users had access to. The IPSEC client has the capability to enter a group and password. The group defined at the client would then translate to the profile at the ASA. I hope this helped.
TJ
09-16-2010 04:27 AM
Thomas,
Depending on your config, anyconnect users also land on group-policy and tunnel-group.
You can check out which one are those by doing "show vpn-sessiondb det svc"
Please note that by default those might be DefaultRAgroup and default group policy.
Once you know which group policy you're using you can for exampl do vpn-filter (that does not apply to clientless):
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1630190
Again too many possibilities to be taken into account, I would suggest looking into downloadble ACLs as a possible solution or running VPN clients against CTP ;-)
Marcin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: