Re: ASA dial in VPN policies

Mahmoud,

It sounds more and more like a cisco asa vpn is not the right solution for your client.

Consider Citrix Xenapp or similar.

I think your client is trying to solve a human resources problem with technology. This is where I seek out his boss and confirm that person's mission.

-Joe

From: marc abel [mailto:marcabel_at_gmail.com]
Sent: Tuesday, June 12, 2012 11:23 PM
To: Mahmoud Genidy <ccie.mahmoud_at_gmail.com>
Cc: Joseph L. Brunner; Cisco certification <ccielab_at_groupstudy.com>
Subject: Re: ASA dial in VPN policies

You can only establish remote access VPN connections on the primary interface which has the default route so I don't believe this will work.

You can not control who can access the ASA via IPSEC by using an access-list. You would have to apply that to the control plane and that would affect all VPN groups.

You can apply an access-list to restrict which resources people can access once they successfully connect, but to do this you either have to use vpn filter or specify the "no sysopt connection permit-vpn" which turns of the bypassing of access-list for the VPN.

In your case I think the best you are going to do is use a group password and user authentication rather than a certificate. It wont restrict which IP they connect from however.

-Marc

On Tue, Jun 12, 2012 at 7:47 PM, Mahmoud Genidy <ccie.mahmoud_at_gmail.com<mailto:ccie.mahmoud_at_gmail.com>> wrote:
Thanks Joseph

Knowing it is an option configurable with Fortigate I thought there may be
an equivlent in ASA.

I couldn't undersand your point when you said it is not possible then you
said it can be done using "isakmp profile match identity address"?

I thought about some alternative solution: To create a second external
outside interface on the ASA and apply ACL on the internet router connected
to this interface to restrict the VPN access. Another option would be to
apply the ACL on the outside interface its self however I doubt it will
work!

On Tue, Jun 12, 2012 at 4:12 PM, Joseph L. Brunner
<joe_at_affirmedsystems.com<mailto:joe_at_affirmedsystems.com>>wrote:

> Not possible... practically speaking.. people move around a lot, etc.
>
> If you knew their ip was going to always be X - say you had some
> consultants that only use the vpn from a major site, etc. then it could be
> done with isakmp profiles matching "isakmp profile match identity address"
> and the like - but remember, we are architects and designers more than we
> are "errand boys" at our level...
>
> Just because some business person has a vision of Acid Burn and Crash
> Override sitting at their Toshiba Tecra's and some neon characters going by
> in the background doesn't mean IT works that way...
>
> What works for most must for all :0)
>
> That's how I support it!
>
> -----Original Message-----
> From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com> [mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf Of
> Mahmoud Genidy
> Sent: Tuesday, June 12, 2012 1:51 AM
> To: Cisco certification
> Subject: Re: ASA dial in VPN policies
>
> Let me rephrase the question:
>
> How to restrict remote access VPN users based on their source (Reall) IP
> address in ASA firewall?
>
>
> On Tue, Jun 12, 2012 at 3:17 PM, Joseph L. Brunner
> <joe_at_affirmedsystems.com<mailto:joe_at_affirmedsystems.com>>wrote:
>
> > This is done in the real world by giving out two vpn groups... not by
> > tweaking little things behind the scenes for the one group...
> >
> > There are other things you probably need to do with your time/life
> > than this...
> >
> > Two groups...
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com> [mailto:nobody_at_groupstudy.com<mailto:nobody_at_groupstudy.com>] On Behalf
> > Of Mahmoud Genidy
> > Sent: Monday, June 11, 2012 9:31 PM
> > To: Cisco certification
> > Subject: ASA dial in VPN policies
> >
> > Hi Team,
> >
> > Is it possible to have the ASA configured for two different dial in
> > VPN access policies as follows:
> >
> > - - First group of remote dial in VPN users are active directory
> > authenticated and restricted with private certificate
> >
> > - - Second group of remote dial in VPN users are active directory
> > authenticated and restricted based on their source real IP address
> >
> >
> >
> > What may be the options for implementation, and would this require the
> > two groups of users to dial into two different external ASA IP address?
> >
> >
> >
> > The story behind this is that the customer has implemented a Private
> > Certificate as part of remote dial in VPN access authentication. They
> > have some of their remote users not happy with this option as it
> > restricts remote access to specific PC or Laptop where the certificate
> is installed.
> > However they need flexibility of connecting from any PC within their
> > remote small office/home where they connect through a gateway with a
> > fixed Real-IP address. So for this group of users they need to
> > implement another policy where they can have access restriction based
> > on their source real IP address. Other users who already happy with
> > the private certificate will stay the same.
> >
> >
> >
> > Cheers
> >
> > Mahmoud
> > CCIE#23690
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > ______________________________________________________________________
> > _ Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Jun 13 2012 - 04:10:32 ART