[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

ASA VPN Dynamic Access List

Posted on 2009-02-12
11
Medium Priority
?
905 Views
Last Modified: 2012-08-13
I am trying to setup a dymanic access list for a VPN user based on the username where it denies all traffic to the inside network accept 3 servers. My problem is with the Dynamic access list apparently you can use only access lists with all denies or all permits it cant be mixed but you can use multiple access lists...Without having to setup access lists to deny all the ip's i want to block how can i easily accomplish what i am trying to do?
0
Comment
Question by:akalbfell
  • 5
  • 3
  • 2
10 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 23624139
Simply create an access list for the split tunnel with the three IPs you want to permit.

access-list Split_VPN standard permit ip host 192.168.1.1
 access-list Split_VPN standard permit ip host 192.168.1.2
 access-list Split_VPN standard permit ip host 192.168.1.3
 
0
 
LVL 8

Author Comment

by:akalbfell
ID: 23624171
Then i would have to create a new group though right since i am applying my split tunnel acl to that group now?
0
 
LVL 28

Expert Comment

by:asavener
ID: 23624630
You ought to be able to apply the new split tunnel ACL to the existing group.
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
LVL 8

Author Comment

by:akalbfell
ID: 23624704
but that would affect all accounts...this access list is only for 1..
i cant create a second vpn group, this situation has 1 account being used by a group of people on different machines in a couple of locations..it would be a huge waste of time to have to reconfigure each vpn client...thats why im trying to just use a dynamic ACL
0
 
LVL 81

Expert Comment

by:arnold
ID: 23684033
I think the processing of the ACL is different.
I.e. the split tunnel ACL advertises the routes to which a VPN user could connect.
The dynamic ACL applies to the traffic the user is sending and receiving through the tunnel.  I believe the dynamic ACL is a restriction on the VPN connection.
Make sure it applies to this user and another and test it out.
0
 
LVL 8

Author Comment

by:akalbfell
ID: 23684099
yes you are correct. the split tunnel acl tells the client which which networsk traffic needs to be tunneled for but that has nothing to do with my question...i am trying to figure out how to use the dynamic ACL to block traffic to all hosts except 3 on the network
0
 
LVL 81

Expert Comment

by:arnold
ID: 23685148
How are you authenticating the user?  Do you use Radius authentication or is it a local user?
It also depends on your current configuration.  if you exempt VPn traffic by use the nat () 0 rule or have the sysopt permit-ipsec rule, you are effectively exempting all VPN users from any ACL.

You would need to define subgroups where everyone will have rights to access the entire network. while the other group to which this user belongs will have only the ACL that permits access to these three hosts.
0
 
LVL 8

Author Comment

by:akalbfell
ID: 23685196
yes i authenticate by RADIUS but i still dont see how any of this pertains to my problem...i have no issues making or applying the ACL to that user...The problem is that while i can use more than 1 ACL, each ACL must have only denies or only permits in it...i cant have 1 ACL that permits access to 1 server and 1 that denies to the entire network since the deny will take precedence....
0
 
LVL 81

Expert Comment

by:arnold
ID: 23685429
You have radius groups with reply-items?
When the specific user authenticates the reply-items you send from Radius is the ACL that allows access to just three IPs. when the others authenticate they get a differnet default ACL.
There is no reason why you would need to send two ACLs.

Depending on which radius server you are using: freeradius, cistron, IAS, etc.

You might have a group based check or a user based check.
Since you one to limit one user:
You will have
user1, match password reply-items ACL_allow_access_to_three_servers
Default group check user/password match repli-items ACL_allow_access

When user1 authenticates, the ACL_allow_access_to_three_servers will be set on the VPN connection.
When everyone else authenticates, ACL_allow_access will be set for their connection.
0
 
LVL 8

Accepted Solution

by:
akalbfell earned 0 total points
ID: 23723568
Just adding the permit statements worked since the implicit deny all blocked the rest...
0

Featured Post

Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month19 days, 15 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question