ASA VPN Dynamic Access List

I am trying to setup a dymanic access list for a VPN user based on the username where it denies all traffic to the inside network accept 3 servers. My problem is with the Dynamic access list apparently you can use only access lists with all denies or all permits it cant be mixed but you can use multiple access lists...Without having to setup access lists to deny all the ip's i want to block how can i easily accomplish what i am trying to do?
LVL 8
akalbfellAsked:
Who is Participating?
 
akalbfellAuthor Commented:
Just adding the permit statements worked since the implicit deny all blocked the rest...
0
 
asavenerCommented:
Simply create an access list for the split tunnel with the three IPs you want to permit.

access-list Split_VPN standard permit ip host 192.168.1.1
 access-list Split_VPN standard permit ip host 192.168.1.2
 access-list Split_VPN standard permit ip host 192.168.1.3
 
0
 
akalbfellAuthor Commented:
Then i would have to create a new group though right since i am applying my split tunnel acl to that group now?
0
Live Q & A: Securing Your Wi-Fi for Summer Travel

Traveling this summer? Join us on June 18, 2018 for a live stream to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
asavenerCommented:
You ought to be able to apply the new split tunnel ACL to the existing group.
0
 
akalbfellAuthor Commented:
but that would affect all accounts...this access list is only for 1..
i cant create a second vpn group, this situation has 1 account being used by a group of people on different machines in a couple of locations..it would be a huge waste of time to have to reconfigure each vpn client...thats why im trying to just use a dynamic ACL
0
 
arnoldCommented:
I think the processing of the ACL is different.
I.e. the split tunnel ACL advertises the routes to which a VPN user could connect.
The dynamic ACL applies to the traffic the user is sending and receiving through the tunnel.  I believe the dynamic ACL is a restriction on the VPN connection.
Make sure it applies to this user and another and test it out.
0
 
akalbfellAuthor Commented:
yes you are correct. the split tunnel acl tells the client which which networsk traffic needs to be tunneled for but that has nothing to do with my question...i am trying to figure out how to use the dynamic ACL to block traffic to all hosts except 3 on the network
0
 
arnoldCommented:
How are you authenticating the user?  Do you use Radius authentication or is it a local user?
It also depends on your current configuration.  if you exempt VPn traffic by use the nat () 0 rule or have the sysopt permit-ipsec rule, you are effectively exempting all VPN users from any ACL.

You would need to define subgroups where everyone will have rights to access the entire network. while the other group to which this user belongs will have only the ACL that permits access to these three hosts.
0
 
akalbfellAuthor Commented:
yes i authenticate by RADIUS but i still dont see how any of this pertains to my problem...i have no issues making or applying the ACL to that user...The problem is that while i can use more than 1 ACL, each ACL must have only denies or only permits in it...i cant have 1 ACL that permits access to 1 server and 1 that denies to the entire network since the deny will take precedence....
0
 
arnoldCommented:
You have radius groups with reply-items?
When the specific user authenticates the reply-items you send from Radius is the ACL that allows access to just three IPs. when the others authenticate they get a differnet default ACL.
There is no reason why you would need to send two ACLs.

Depending on which radius server you are using: freeradius, cistron, IAS, etc.

You might have a group based check or a user based check.
Since you one to limit one user:
You will have
user1, match password reply-items ACL_allow_access_to_three_servers
Default group check user/password match repli-items ACL_allow_access

When user1 authenticates, the ACL_allow_access_to_three_servers will be set on the VPN connection.
When everyone else authenticates, ACL_allow_access will be set for their connection.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.