Hello All .. First post.. I have lurked here for years and have found sooo many answers, fixes and assistance for many of my problems and decided its time to give back and get some help at the same time =-)
Moving on..
I have an ASA 5520 working just fine doing AAA with MS IAS. I have 2 groups and I can log in as any user from those groups with no problems. Based on the split-tunnel-acl I have network access also with no problems.
What I'm trying to do though is figure out 2 things.
1. How can I use MS IAS to control network access.
What I would like is to have the GROUP_SplitTunnelAcl say something like:
- permit 10.10.1.0 255.255.255.0
But using MS IAS block access to 10.10.1.5
I understand that you can control the ACL of the VPN group by specifying an ACL in the filter-id.
I found this out here:
http://support.microsoft.com/kb/283829 .. But I have still yet been able to make even that work out. I think it has to do with something on the IAS server.
- What i have added / tried already is:
* Service-Type: Login
- I have added Cisco av-pair in the following format and none work:
- ip:inacl#=deny icmp any host 10.10.1.5
- ip:inacl#99=deny icmp any host 10.10.1.5
- ip:access-list GROUP_splitTunnelAcl deny icmp any 10.10.1.5
I have also tried adding these statements in the Vendor specific attribute settings identifying the following
- Vendor-Specific Attribute: Cisco
- Vendor-assigned attribute number: 1
- ip:inacl#=deny icmp any host 10.10.1.5
- ip:inacl#99=deny icmp any host 10.10.1.5
- ip:access-list GROUP_splitTunnelAcl deny icmp any 10.10.1.5
2. How can ASA ACLs be written, applied and used (that might be 3 things as one!)
- Must they be standard format?
------ If so, this means you cant write them to block protocol (ICMP, TCP, WWW)0 access right?
------ If no then how come I cant get my DENY ACLs above the PERMIT statements to work?
What I found funny is that even trying to set a DENY using protocol (ICMP) in the GROUP_SplitTunnelAcl didnt even work and is not respected when connected VIA VPN. This is what makes me believe you cant write STANDARD ACLs to block protocol (ICMP, TCP, WWW) access.
So in short.. this thing works fine, but I'd like to do this per group/user network access control. I'd like to have the split-tunnel-acl say allow access to the 10.10.1.0/24 of a subnet, but for Group A deny IP access for 10.10.1.5 and for Group B deny tcp to 10.10.1.8 eq
www.
Hope I'm painting a clear picture, If not.. I will provide was is needed to help you help me :-)
Thanks in advance and I'm really excited to be a person in need here at EE!
LBS
Start Free Trial
