Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to control what users can access over AnyConnect VPN

I am in the process of setting up AnyConnect for my department.  We will be providing access with another group as well.  I want to be able to limit access to hosts/subnets based on what group they are in.  One way I have handled this in the past was to do multiple vpn-groups using vpn-filter.

Since I will be using 8.2.5 and have a ACS 5.4 server in the mix, is there a better way to do it ?  I have thought about downloadable ACL's.  Since I have control over AD as well, that may give me another option as well.

Also interested in a way where I can limit the users access without them having to select the right group when they login via AnyConnect.

Thanks,

Ron                  

3 REPLIES
Hall of Fame Super Silver

How to control what users can access over AnyConnect VPN

Your use case is what the Identity Firewall features are desinged for. It is an 8.4+ feature however.

Details here and here.

New Member

How to control what users can access over AnyConnect VPN

Ok.  Will take a look at 8.4.  Is downloadable ACL's still an option without going to 8.4 ?  I remember seeing references to this in earlier versions of ACS.  That would give me an option of controlling access via ACS and not having to get fancy with the ASA. 

New Member

How to control what users can access over AnyConnect VPN

Hi Ronald,

From what I understand what you want is that you have multiple users who connect using anyconnect client. Let us say you have users a, b and c. If user A connects to the tunnel group then he can only access 192.168.1.0/24 subnet if user "B" connects he can acccess 192.168.2.0/24 subnet if "C" connects he can access 192.168.1.0 and 192.168.2.0 both the networks.

If this is what you are trying to achieve and you are using a AAA server for authentication of the users you can create different groups for the different users and then bind a different group policy for the different groups. In those different group policies you can specify different split tunnel ACL as per your requirement or define VPN filters whatever is your requirement.

Below is an example for ACS server with Radius assigning different group policies,

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808cf897.shtml

If my understanding of your problem was incorrect please correct me,

HTH

319
Views
0
Helpful
3
Replies
CreatePlease login to create content