08-29-2013 09:44 AM
Consider situation, where you have "central" ASA hosting multiple l2l IPSec tunnels.
Outside Users uses Anyconnect to connect ASA and are granted routing profile they choose.
Is there *any way* to use single AnyConnect group, which would dynamically set needed VPN access list based example ldap group info.
Small example :
l2l tunnel A has tunnel-specific and uses Anyconnect group A, only users on ldap goup XYA are allowed
l2l tunnel B has tunnel-specific and uses Anyconnect group B, only users on ldap goup XYB are allowed
if end user has right to connect group A and B (belongs to groups XYA and XYB) , can this be dynamically managed ?
Real world case holds hundreds of split-tunnels, this is just simple example and question, if this is possible or not ?
-jra
Solved! Go to Solution.
09-07-2013 03:06 AM
Hi Jari
I'm not entirely sure I understand correctly what you want to achieve but I think you should be able to do so using a single group, and a set of DAP rules.
I.e. one rule that says "if user is member of XYA then apply acl A", another rule "if user is member of XYB then apply acl B" etc.
hth
Herbert
09-07-2013 03:06 AM
Hi Jari
I'm not entirely sure I understand correctly what you want to achieve but I think you should be able to do so using a single group, and a set of DAP rules.
I.e. one rule that says "if user is member of XYA then apply acl A", another rule "if user is member of XYB then apply acl B" etc.
hth
Herbert
11-06-2014 09:06 AM
This works quite smooth.
My problems was to understand the fact, taht I must route all available networks to tunnel and then DAP makes ACL, where one can go.
I assume this is simple thing on force tunnel, but as I prefer split-tunnel, this was pain for me to understand.
Anyway, all good, everythings works likes a charm, case closed.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: