Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to configure AnyConnect ACL's?

I am a little new to Cisco ASA's but we bought two new 5540's to use as a new VPN solution for our company. We want to implement Cisco Anyconnect full client and Clientless based solutions for our end users. I am having problems working with setting up access lists based on groups. I simply want to create access-lists to certain IP's based on groups. I ultimately want to get to the point where we have Dynamic Access Policies that are based on Active Directory Groups allowing access to back end servers based solely on their group membership in AD. But first I need to figure out how to just apply an ACL on a group.   Can anyone please help me with this? Any help would be much appreciated.

Everyone's tags (3)
3 REPLIES
Cisco Employee

How to configure AnyConnect ACL's?

Bradley,

What would you like ASA to do?

In general we can use vpn-filer ... like this:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808c9a87.shtml

M.

New Member

Re: How to configure AnyConnect ACL's?

Thanks for your reply....

I would like to have a block all then allow access to certain back end servers. For example: If user signs in and authenticates against AD. I would like to keep it simple at first and just apply an access list to that group. I was told by a few people that the ASA starts a connection with it open to everything and then you have to tell it what to block. I would like to apply an ACL to a group where it just allows access to one application. So I would be a Coplink user for instance and I am allowed to connect back to our Anyconnect VPN. The user signs on and because he is in the Coplink group apply an access list to him to only allow him to 10.105.x.x. Or if someone is in a group called SSL_VPN they would only have access to 10.101.x.x and 10.105.x.x networks.

New Member

Well , I have implemented a

Well , I have implemented a similar solution with 2FA , The ASA will look for some string from the AD and apply an ACL created in the VPN filter list.

Haven't implemented this using LDAP but I know it is doable

2319
Views
0
Helpful
3
Replies
CreatePlease login to create content