Solved

How do I restrict VPN VLAN network access by username?

Posted on 2009-04-02
5
3,407 Views
Last Modified: 2012-05-06
I'm trying to configure my Cisco ASA 5510 to restrict VPN network access to only one VLAN on the internal network by the username used to login.  I have a vendor that setup our Audio/Visual equipment and they need remote access to fix programming problems from time to time.  I want to either create a username for them on the ASA or on the domain which ever will make this work.  Then I need them to only be allowed access to 10.1.40.0 255.255.255.0

I have tried multiple configurations to make this work and the only way I seem to be able to come close is to block access on the Outside interface for the IP range 192.168.50.0 to anything else on the internal network except for 10.1.40.0 since 192.168.50.0 is what range is assigned to the VPN group.  This solution then blocks everyone using the VPN and doesn't completely solve my problem.

I have tried assigned an ACL to the VPN group but it doesn't seem to take I must be missing something.  I also don't understand completely how a tunnel group works that might be part of my problem.  

Here is a little info about how my network is configured.

Internet <----->ASA<---->Cisco 4503<---->LAN
All of my VLAN are configured on the 4503

Thanks in advance for any help you might be able to provide.  Here is my current config:

: Saved
:
ASA Version 8.0(4) 
!
hostname Ciscoasa
domain-name corp.domain.com
enable password 
passwd 
names
dns-guard
!
interface Ethernet0/0
 nameif Outside
 security-level 0
 ip address "Outside IP" 255.255.255.252 
!
interface Ethernet0/1
 nameif Inside
 security-level 100
 ip address 10.0.0.253 255.255.255.0 
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
 management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
 name-server 10.0.0.2
 domain-name corp.domain.com
object-group service RDP tcp
 description Terminal Services Connections
 port-object range 3389 3389
object-group service IMAP4 tcp-udp
 description IMAP4  iPhones
 port-object range 143 143
object-group service SSL-IMAP tcp-udp
 description SSL IMAP for iPhones
 port-object range 993 993
object-group service Inter-tel-5566 tcp
 description Inter-tel TCP 5566
 port-object eq 5566
object-group service Inter-tel-5567 udp
 description Inter-tel UDP 5567
 port-object eq 5567
object-group service DM_INLINE_TCP_1 tcp
 group-object IMAP4
 group-object SSL-IMAP
object-group protocol TCPUDP
 protocol-object udp
 protocol-object tcp
object-group service DM_INLINE_TCP_2 tcp
 port-object eq www
 port-object eq https
object-group service Blocked-Ports
 description Q-Charts Ports 8048 - 8049 unassigned
 service-object tcp-udp eq 8048 
 service-object tcp-udp eq 8049 
 service-object tcp-udp eq 2189 
 service-object tcp-udp source eq 23100 eq 23100 
 service-object tcp-udp source eq 24100 eq 24100 
object-group service SSL-VPN tcp-udp
 description Cisco SSL VPN Client
 port-object eq 444
access-list Outside_access_in extended permit ip 192.168.50.0 255.255.255.0 10.1.40.0 255.255.255.0 
access-list Outside_access_in extended permit ip 192.168.50.0 255.255.255.0 any inactive 
access-list Outside_access_in remark Terminal Server Connections
access-list Outside_access_in extended permit tcp any interface Outside object-group RDP 
access-list Outside_access_in remark Inscope Website
access-list Outside_access_in extended permit tcp any interface Outside eq 8081 
access-list Outside_access_in remark SMTP Postini Inbound to SihleExchange
access-list Outside_access_in extended permit tcp 64.18.0.0 255.255.240.0 interface Outside eq smtp 
access-list Outside_access_in remark SSL IMAP iPhones
access-list Outside_access_in extended permit tcp any interface Outside object-group DM_INLINE_TCP_1 inactive 
access-list Outside_access_in remark Outlook Web Access SSL Connection
access-list Outside_access_in extended permit tcp any interface Outside object-group DM_INLINE_TCP_2 
access-list Outside_access_in remark Inter-tel TCP Port 5566
access-list Outside_access_in extended permit tcp any interface Outside eq 5566 
access-list Outside_access_in remark Inter-tel TCP Port 5567
access-list Outside_access_in extended permit udp any interface Outside eq 5567 
access-list Outside_access_in remark IP Phone Audio
access-list Outside_access_in extended permit udp any interface Outside range 5000 5565 
access-list Inside_access_in remark SMTP Outbound SihleExchange
access-list Inside_access_in extended permit tcp host 10.0.0.4 64.18.0.0 255.255.240.0 eq smtp 
access-list Inside_access_in remark Block All Outbound SMTP Traffic
access-list Inside_access_in extended deny tcp any any eq smtp 
access-list Inside_access_in remark Block AOL Instant Messenger
access-list Inside_access_in extended deny tcp any any eq aol inactive 
access-list Inside_access_in remark Q-Charts
access-list Inside_access_in extended deny object-group Blocked-Ports any any 
access-list Inside_access_in extended permit ip any any 
access-list VPN_Clients remark VPN Clients
access-list VPN_Clients extended permit ip any 192.168.25.0 255.255.255.0 
access-list VPN_Clients extended permit ip any 192.168.50.0 255.255.255.0 
access-list Audio_Visual_VLAN_Only remark VLAN 40 Access Only
access-list Audio_Visual_VLAN_Only standard permit 10.1.40.0 255.255.255.0 
access-list Audio_Visual_VLAN_Only remark No Access
access-list Audio_Visual_VLAN_Only standard deny any 
pager lines 24
logging enable
logging list Custom-Log level debugging
logging asdm warnings
logging from-address ASA5510@domain.com
logging recipient-address email@address.com level emergencies
logging facility 16
logging debug-trace
logging ftp-server 10.0.0.248 ASA5510
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPN 192.168.25.100-192.168.25.150 mask 255.255.255.0
ip local pool Vendors 192.168.50.100-192.168.50.105 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 0 access-list VPN_Clients
nat (Inside) 0 192.168.25.0 255.255.255.0
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp interface 3389 10.0.0.3 3389 netmask 255.255.255.255 
static (Inside,Outside) tcp interface 8081 10.0.0.11 8081 netmask 255.255.255.255 
static (Inside,Outside) tcp interface smtp 10.0.0.4 smtp netmask 255.255.255.255 
static (Inside,Outside) tcp interface www 10.0.0.4 www netmask 255.255.255.255 
static (Inside,Outside) tcp interface https 10.0.0.4 https netmask 255.255.255.255 
static (Inside,Outside) tcp interface 993 10.0.0.4 993 netmask 255.255.255.255 
static (Inside,Outside) udp interface 993 10.0.0.4 993 netmask 255.255.255.255 
static (Inside,Outside) tcp interface imap4 10.0.0.4 imap4 netmask 255.255.255.255 
static (Inside,Outside) udp interface 143 10.0.0.4 143 netmask 255.255.255.255 
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 209.16.116.125 10
route Inside 10.0.4.0 255.255.255.0 10.0.0.254 1
route Inside 10.1.2.0 255.255.255.0 10.0.0.254 1
route Inside 10.1.5.0 255.255.255.0 10.0.0.254 1
route Inside 10.1.12.0 255.255.255.0 10.1.12.1 1
route Inside 10.1.15.0 255.255.255.0 10.1.15.1 1
route Inside 10.1.20.0 255.255.255.0 10.1.20.1 1
route Inside 10.1.35.0 255.255.255.0 10.1.35.1 1
route Inside 10.1.40.0 255.255.255.0 10.1.40.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server 10.0.0.2 protocol radius
aaa-server 10.0.0.2 (Inside) host Sihle-DC
 key 
 radius-common-pw 
aaa-server Sihle-Domain protocol nt
aaa-server Sihle-Domain (Inside) host Sihle-DC
 nt-auth-domain-controller Sihle-DC
aaa authentication telnet console LOCAL 
aaa authorization command LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint ASDM_TrustPoint0
 enrollment self
 fqdn Ciscoasa.corp.domain.com
 subject-name CN=Ciscoasa.corp.domain.com
 keypair key
 crl configure
crypto ca server 
 shutdown
crypto ca certificate chain ASDM_TrustPoint0
 certificate 31
    30820208 30820171 a0030201 02020131 300d0609 2a864886 f70d0101 04050030 
    quit
crypto isakmp enable Outside
crypto isakmp policy 5
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto isakmp policy 10
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet 10.0.0.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 10.0.0.2 10.0.0.5
dhcpd wins 10.0.0.2 10.0.0.2
dhcpd domain corp.domain.com
!
dhcpd address 192.168.1.2-192.168.1.254 management
!
vpn load-balancing 
 interface lbpublic Inside
 interface lbprivate Inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 Outside
webvpn
 port 444
 enable Outside
 dtls port 444
 csd image disk0:/csd_3.4.1108.pkg
 csd enable
 svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 2
 svc enable
 tunnel-group-list enable
 internal-password enable
group-policy DfltGrpPolicy attributes
 wins-server value 10.0.0.2
 dns-server value 10.0.0.2 10.0.0.5
 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy Vendors internal
group-policy Vendors attributes
 banner value This network is intended for private use only.
 vpn-tunnel-protocol IPSec svc webvpn
 group-lock value Vendors
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Audio_Visual_VLAN_Only
 address-pools value Vendors
username  encrypted privilege 0
username  attributes
 vpn-group-policy DfltGrpPolicy
tunnel-group Employees type remote-access
tunnel-group Employees general-attributes
 address-pool (Inside) VPN
 authentication-server-group Sihle-Domain
tunnel-group Employees webvpn-attributes
 group-alias Employees enable
tunnel-group Vendors type remote-access
tunnel-group Vendors general-attributes
 address-pool (Inside) Vendors
 address-pool Vendors
 authentication-server-group Sihle-Domain
 authentication-server-group (Inside) LOCAL
tunnel-group Vendors webvpn-attributes
 group-alias Vendors enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
!
service-policy global_policy global
smtp-server 10.0.0.4
prompt hostname context 
Cryptochecksum:e085db01e0bd4b96f07cfbc7fc1aae14
: end
asdm image disk0:/asdm-61551.bin
asdm location 10.0.0.33 255.255.255.255 Inside
asdm location 10.1.40.0 255.255.255.0 Inside
asdm location 192.168.50.0 255.255.255.0 Inside
no asdm history enable

Open in new window

0
Comment
Question by:SihleIns
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 16

Expert Comment

by:2PiFL
ID: 24050394
I create a tunnel group for the each individual with their own ACL.  We don't get many requests for "outside" people to access our network, so this works for us.

Here's a doc on creating ACL's on the Pix and ASA.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml#maintask1
0
 
LVL 10

Expert Comment

by:stsonline
ID: 24054155
You need a group-policy and a tunnel-group specific to the vendor and a defined ACL with the hosts and/or nets you want the user to be able to access, then create the user(s) and put the user(s) into the group - here's an example:

group-policy vendor-mainline internal
group-policy vendor-mainline attributes
vpn-filter value mainline_acl

username vendor-mainline attributes
vpn-group-policy vendor-mainline
vpn-filter value mainline_acl

tunnel-group vendor-mainline type ipsec-ra

tunnel-group vendor-mainline general-attributes
default-group-policy vendor-mainline

access-list mainline_acl extended permit ip any host 172.16.1.100
access-list mainline_acl extended permit ip any 192.168.2.0 255.255.255.0
0
 

Author Comment

by:SihleIns
ID: 24054372
The ASA keeps giving me "Invalid input detected" when I try either one of these commands
vpn-filter value mainline_acl (this one says the error is at the f in filter)
username vendor-mainline attributes (this one says the error is at the n in name)
What am I missing?  I have the latest IOS installed on the ASA.
0
 

Accepted Solution

by:
SihleIns earned 0 total points
ID: 24060125
I found the answer to my question on Cisco's website.  Both of your posts help point me in the right direction.  Thanks.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml#steps


0

Featured Post

Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A 2007 NCSA Cyber Security survey revealed that a mere 4% of the population has a full understanding of firewalls. As business owner, you should be part of that 4% that has a full understanding.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question