Link to home
Start Free TrialLog in
Avatar of chekfu
chekfu

asked on

Control VPN user to access a server

Hello

I will appreciate it very much if you can help.

I have configured IPSec VPN Remote Access using Cisco ASA 5500 series. It has been working.

Recently, we have granted VPN permission to a vendor. So, I have created an account for the vendor, and then setup Cisco VPN Client with a imported pcf file onto his laptop.

I want to control the VPN user to access only one server. For example, to ONLY allow that vendor account to RDP to a server (e.g. 192.168.1.11).
Avatar of batry_boy
batry_boy
Flag of United States of America image

If you're using a local user account for the vendor, then you need to have the following statements in your ASA config (substitute the appropriate values for the user account and group policy name):

username vendoruser attributes
 vpn-group-policy VendorPolicy
group-policy VendorPolicy
 vpn-filter value VendorAccess
access-list VendorAccess permit ip any host 192.168.1.11

I put "any" as the source address in that ACL because you don't know which IP address that vendor will get from the VPN pool of addresses.  Instead, the ACL is tied to his user account via the group policy so you don't have to worry about the source IP address.  And if you ever need to grant additional access to other hosts, just add similar ACL statements to that same "VendorAccess" ACL.

Hope this helps...
Avatar of chekfu
chekfu

ASKER

Hi batry_boy

Thanks for your great help.

Currently, VPN account is integrated with RADIUS Server (MS IAS) instead of local user account.

Need your help to enlighten me on how to deal in my scenario. Thanks in advanced!
Avatar of chekfu

ASKER

Any updates?

Your help is very much appreciated.
Which group policy is the vendor setup to use on the ASA?  Once you know that, then just use the last 3 commands in my first post referencing the appropriate group policy.
Avatar of chekfu

ASKER

The same group policy is applied to Vendor and normal user.

Is Downdoadable ACL works? How to do that? If I only want to restrict a vendor name called vendor1 to only RDP to 192.168.1.11
Yes, you can use those.  See the following link:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_guide_chapter09186a00801fd914.html#wp391415

I've never had occasion to use them before, but my understanding is that even if multiple users are using the same VPN group, the downloadable ACL's can be applied on a per user basis.
ASKER CERTIFIED SOLUTION
Avatar of chekfu
chekfu

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial