Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Cisco Support Community site will be in read only mode on Dec14, 2017 from 12:01am PST to 11:30am for standard maintenance. Sorry for the inconvenience.

New Member

Too many dynamic access polices

Hi All,

Need you guys advise on this. I have multiple ASA firewalls in Asia region to provide SSL-VPN (Clientless-VPN) access to corporate network. Example, Hong Kong and Singapore.When users in Singapore travelled to HongKong, they cant use the SSL-Url hosted there because even though the login is successful, the DAP of bookmarks are not configured in HK firewalls. So these users have no choice but to SSL-VPN back to Singapore firewalls, but this is ineffiecient and slow.

My question will be as follow:

1) can i export the DAP on Singapore firewalls and Import to Hong kong firewalls? Vice-versa

2) can i export the bookmarks on Singapore firewalls and Import to Hong kong firewalls? Vice-versa

3) due to number of users, i have too many DAP configure on each firewalls to match their cisco-userid to respective bookmark. Can i use something like variable? so that 1 DAP will be sufficient. I need the DAP to be able to capture the username keyed in by user and matched that against a bookmark configured with same username

Like.

cisco.username =%uname

bookmarks=%uname

Any help will be much appreciated.Thanks

7 REPLIES
Silver

Re: Too many dynamic access polices

Hi,

We don't have an easy method to display a bookmark list based on username.

However, you can create one master bookmark list which has many different individual bookmarks each including a variable "CSCO_WEBVPN_USERNAME".

Example:

http://myserver.com/CSCO_WEBVPN_USERNAME/home/root

cifs://myftpserver.com/root/users/CSCO_WEBVPN_USERNAME/marketing etc..

When you do this, the ASA will replace the macro CSCO_WEBVPN_USERNAME with session username.

So, if user "john" logs in, they will see two bookmarks: http://myserver.com/john/home/root, cifs://myftpserver.com/root/users/john/marketing

http://www.cisco.com/en/US/partner/docs/security/asa/asa80/asdm60/ssl_vpn_deployment_guide/deploy.html#wp1002989

One other alternative is to use LDAP attribute maps instead of DAP. If you have an LDAP Database or Active Directory that has all the usernames, you can use the

LDAP attribute map feature which maps a particular LDAP attribute (say cn or username) to the Cisco Attribute WebVPN-URL-List.

See an example below:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00808d1a7c.shtml

One caveat is that URL-List setting in DAP and LDAP attribute map are mutually exclusive. So, you shouldn't apply URL-List in DAP anymore.

Thanks,

Kiran

New Member

Re: Too many dynamic access polices

for the bookmarks, i think i cant make it simpler as well OR use the method you suggest. Because individual VPN user has a unique bookmark that allows RDP to their personal desktop machine.

What about my questions of exporting DAP and Bookmarks to import to another firewalls?

Silver

Re: Too many dynamic access polices

My apologies, ASDM has an option to backup/restore the configurations. You can find it under "Tools". When you back-up, you only select DAP and CSD policies. Everything else should be un-checked. Then, you can save it as zip file and restore it on the other ASA. If you need automatic sync-up and push of DAP, we will need to use CSM for that.

New Member

Re: Too many dynamic access polices

Hi,

thanks for that. Last question, when you mean Back up from firewall A of those DAP and CSD policies and restore it on firewall B. Can i do it during production hours and not impact on operations? So if there's a case where firewall A has a DAP policy of XX and firewall b has a policy of YY. If i backup A config and restore on B, will YY be overwritten or it will merge? end result with XX and YY

Pardon me, can you provide me the full term of these?

DAP: dynamic access polices

CSD: cisco secure desktop?

CSM: ??

Silver

Re: Too many dynamic access polices

If the DAP records have two different names, then the restore on Firewall-B will add to the existing DAPs (so XX and YY). If they are same, I am not very sure whether it will overwrite or merge. I will have to test.

CSM - Cisco Security Manager - Helps you configure multiple security devices (Firewall, router, switch, IDS, IPS, MARS etc) from one unified policy interface. Also supports checkpoint and rollover, multi-device config replication and push etc.

http://www.cisco.com/en/US/products/ps6498/index.html

DAP - Dynamic Access Policy

CSD - Cisco Secure Desktop.

New Member

Re: Too many dynamic access polices

Thanks for the clarification on these terms.

I notice that my firewall A is using CSD but firewall B is not.

will the restoring of config from A with CSD on B cause any conflict?

Correction:

I see that i can choose not to backup CSD config.. Just DAP alone.

but may i ask, Bookmarks fall into which category?

Silver

Re: Too many dynamic access polices

Bookmarks are known as "URL-Lists". They may show up under "webcontents" as well depending on the ASDM version.

286
Views
0
Helpful
7
Replies
CreatePlease to create content