Solved

How do I restrict VPN VLAN network access by username?

Posted on 2009-04-02
5
3,280 Views
Last Modified: 2012-05-06
I'm trying to configure my Cisco ASA 5510 to restrict VPN network access to only one VLAN on the internal network by the username used to login.  I have a vendor that setup our Audio/Visual equipment and they need remote access to fix programming problems from time to time.  I want to either create a username for them on the ASA or on the domain which ever will make this work.  Then I need them to only be allowed access to 10.1.40.0 255.255.255.0

I have tried multiple configurations to make this work and the only way I seem to be able to come close is to block access on the Outside interface for the IP range 192.168.50.0 to anything else on the internal network except for 10.1.40.0 since 192.168.50.0 is what range is assigned to the VPN group.  This solution then blocks everyone using the VPN and doesn't completely solve my problem.

I have tried assigned an ACL to the VPN group but it doesn't seem to take I must be missing something.  I also don't understand completely how a tunnel group works that might be part of my problem.  

Here is a little info about how my network is configured.

Internet <----->ASA<---->Cisco 4503<---->LAN
All of my VLAN are configured on the 4503

Thanks in advance for any help you might be able to provide.  Here is my current config:

: Saved

:

ASA Version 8.0(4) 

!

hostname Ciscoasa

domain-name corp.domain.com

enable password 

passwd 

names

dns-guard

!

interface Ethernet0/0

 nameif Outside

 security-level 0

 ip address "Outside IP" 255.255.255.252 

!

interface Ethernet0/1

 nameif Inside

 security-level 100

 ip address 10.0.0.253 255.255.255.0 

!

interface Ethernet0/2

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Ethernet0/3

 shutdown

 no nameif

 no security-level

 no ip address

!

interface Management0/0

 nameif management

 security-level 100

 ip address 192.168.1.1 255.255.255.0 

 management-only

!

boot system disk0:/asa804-k8.bin

ftp mode passive

dns domain-lookup Outside

dns domain-lookup Inside

dns domain-lookup management

dns server-group DefaultDNS

 name-server 10.0.0.2

 domain-name corp.domain.com

object-group service RDP tcp

 description Terminal Services Connections

 port-object range 3389 3389

object-group service IMAP4 tcp-udp

 description IMAP4  iPhones

 port-object range 143 143

object-group service SSL-IMAP tcp-udp

 description SSL IMAP for iPhones

 port-object range 993 993

object-group service Inter-tel-5566 tcp

 description Inter-tel TCP 5566

 port-object eq 5566

object-group service Inter-tel-5567 udp

 description Inter-tel UDP 5567

 port-object eq 5567

object-group service DM_INLINE_TCP_1 tcp

 group-object IMAP4

 group-object SSL-IMAP

object-group protocol TCPUDP

 protocol-object udp

 protocol-object tcp

object-group service DM_INLINE_TCP_2 tcp

 port-object eq www

 port-object eq https

object-group service Blocked-Ports

 description Q-Charts Ports 8048 - 8049 unassigned

 service-object tcp-udp eq 8048 

 service-object tcp-udp eq 8049 

 service-object tcp-udp eq 2189 

 service-object tcp-udp source eq 23100 eq 23100 

 service-object tcp-udp source eq 24100 eq 24100 

object-group service SSL-VPN tcp-udp

 description Cisco SSL VPN Client

 port-object eq 444

access-list Outside_access_in extended permit ip 192.168.50.0 255.255.255.0 10.1.40.0 255.255.255.0 

access-list Outside_access_in extended permit ip 192.168.50.0 255.255.255.0 any inactive 

access-list Outside_access_in remark Terminal Server Connections

access-list Outside_access_in extended permit tcp any interface Outside object-group RDP 

access-list Outside_access_in remark Inscope Website

access-list Outside_access_in extended permit tcp any interface Outside eq 8081 

access-list Outside_access_in remark SMTP Postini Inbound to SihleExchange

access-list Outside_access_in extended permit tcp 64.18.0.0 255.255.240.0 interface Outside eq smtp 

access-list Outside_access_in remark SSL IMAP iPhones

access-list Outside_access_in extended permit tcp any interface Outside object-group DM_INLINE_TCP_1 inactive 

access-list Outside_access_in remark Outlook Web Access SSL Connection

access-list Outside_access_in extended permit tcp any interface Outside object-group DM_INLINE_TCP_2 

access-list Outside_access_in remark Inter-tel TCP Port 5566

access-list Outside_access_in extended permit tcp any interface Outside eq 5566 

access-list Outside_access_in remark Inter-tel TCP Port 5567

access-list Outside_access_in extended permit udp any interface Outside eq 5567 

access-list Outside_access_in remark IP Phone Audio

access-list Outside_access_in extended permit udp any interface Outside range 5000 5565 

access-list Inside_access_in remark SMTP Outbound SihleExchange

access-list Inside_access_in extended permit tcp host 10.0.0.4 64.18.0.0 255.255.240.0 eq smtp 

access-list Inside_access_in remark Block All Outbound SMTP Traffic

access-list Inside_access_in extended deny tcp any any eq smtp 

access-list Inside_access_in remark Block AOL Instant Messenger

access-list Inside_access_in extended deny tcp any any eq aol inactive 

access-list Inside_access_in remark Q-Charts

access-list Inside_access_in extended deny object-group Blocked-Ports any any 

access-list Inside_access_in extended permit ip any any 

access-list VPN_Clients remark VPN Clients

access-list VPN_Clients extended permit ip any 192.168.25.0 255.255.255.0 

access-list VPN_Clients extended permit ip any 192.168.50.0 255.255.255.0 

access-list Audio_Visual_VLAN_Only remark VLAN 40 Access Only

access-list Audio_Visual_VLAN_Only standard permit 10.1.40.0 255.255.255.0 

access-list Audio_Visual_VLAN_Only remark No Access

access-list Audio_Visual_VLAN_Only standard deny any 

pager lines 24

logging enable

logging list Custom-Log level debugging

logging asdm warnings

logging from-address ASA5510@domain.com

logging recipient-address email@address.com level emergencies

logging facility 16

logging debug-trace

logging ftp-server 10.0.0.248 ASA5510

mtu Outside 1500

mtu Inside 1500

mtu management 1500

ip local pool VPN 192.168.25.100-192.168.25.150 mask 255.255.255.0

ip local pool Vendors 192.168.50.100-192.168.50.105 mask 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-61551.bin

no asdm history enable

arp timeout 14400

nat-control

global (Outside) 1 interface

nat (Inside) 0 access-list VPN_Clients

nat (Inside) 0 192.168.25.0 255.255.255.0

nat (Inside) 1 0.0.0.0 0.0.0.0

static (Inside,Outside) tcp interface 3389 10.0.0.3 3389 netmask 255.255.255.255 

static (Inside,Outside) tcp interface 8081 10.0.0.11 8081 netmask 255.255.255.255 

static (Inside,Outside) tcp interface smtp 10.0.0.4 smtp netmask 255.255.255.255 

static (Inside,Outside) tcp interface www 10.0.0.4 www netmask 255.255.255.255 

static (Inside,Outside) tcp interface https 10.0.0.4 https netmask 255.255.255.255 

static (Inside,Outside) tcp interface 993 10.0.0.4 993 netmask 255.255.255.255 

static (Inside,Outside) udp interface 993 10.0.0.4 993 netmask 255.255.255.255 

static (Inside,Outside) tcp interface imap4 10.0.0.4 imap4 netmask 255.255.255.255 

static (Inside,Outside) udp interface 143 10.0.0.4 143 netmask 255.255.255.255 

access-group Outside_access_in in interface Outside

access-group Inside_access_in in interface Inside

route Outside 0.0.0.0 0.0.0.0 209.16.116.125 10

route Inside 10.0.4.0 255.255.255.0 10.0.0.254 1

route Inside 10.1.2.0 255.255.255.0 10.0.0.254 1

route Inside 10.1.5.0 255.255.255.0 10.0.0.254 1

route Inside 10.1.12.0 255.255.255.0 10.1.12.1 1

route Inside 10.1.15.0 255.255.255.0 10.1.15.1 1

route Inside 10.1.20.0 255.255.255.0 10.1.20.1 1

route Inside 10.1.35.0 255.255.255.0 10.1.35.1 1

route Inside 10.1.40.0 255.255.255.0 10.1.40.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

aaa-server 10.0.0.2 protocol radius

aaa-server 10.0.0.2 (Inside) host Sihle-DC

 key 

 radius-common-pw 

aaa-server Sihle-Domain protocol nt

aaa-server Sihle-Domain (Inside) host Sihle-DC

 nt-auth-domain-controller Sihle-DC

aaa authentication telnet console LOCAL 

aaa authorization command LOCAL 

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.0.0.0 255.255.255.0 Inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac 

crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac 

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac 

crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac 

crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac 

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000

crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map Outside_map interface Outside

crypto ca trustpoint ASDM_TrustPoint0

 enrollment self

 fqdn Ciscoasa.corp.domain.com

 subject-name CN=Ciscoasa.corp.domain.com

 keypair key

 crl configure

crypto ca server 

 shutdown

crypto ca certificate chain ASDM_TrustPoint0

 certificate 31

    30820208 30820171 a0030201 02020131 300d0609 2a864886 f70d0101 04050030 

    quit

crypto isakmp enable Outside

crypto isakmp policy 5

 authentication pre-share

 encryption 3des

 hash sha

 group 2

 lifetime 86400

crypto isakmp policy 10

 authentication pre-share

 encryption des

 hash sha

 group 2

 lifetime 86400

telnet 10.0.0.0 255.255.255.0 Inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd dns 10.0.0.2 10.0.0.5

dhcpd wins 10.0.0.2 10.0.0.2

dhcpd domain corp.domain.com

!

dhcpd address 192.168.1.2-192.168.1.254 management

!

vpn load-balancing 

 interface lbpublic Inside

 interface lbprivate Inside

threat-detection basic-threat

threat-detection statistics

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ssl trust-point ASDM_TrustPoint0 Outside

webvpn

 port 444

 enable Outside

 dtls port 444

 csd image disk0:/csd_3.4.1108.pkg

 csd enable

 svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 2

 svc enable

 tunnel-group-list enable

 internal-password enable

group-policy DfltGrpPolicy attributes

 wins-server value 10.0.0.2

 dns-server value 10.0.0.2 10.0.0.5

 vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn

group-policy Vendors internal

group-policy Vendors attributes

 banner value This network is intended for private use only.

 vpn-tunnel-protocol IPSec svc webvpn

 group-lock value Vendors

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value Audio_Visual_VLAN_Only

 address-pools value Vendors

username  encrypted privilege 0

username  attributes

 vpn-group-policy DfltGrpPolicy

tunnel-group Employees type remote-access

tunnel-group Employees general-attributes

 address-pool (Inside) VPN

 authentication-server-group Sihle-Domain

tunnel-group Employees webvpn-attributes

 group-alias Employees enable

tunnel-group Vendors type remote-access

tunnel-group Vendors general-attributes

 address-pool (Inside) Vendors

 address-pool Vendors

 authentication-server-group Sihle-Domain

 authentication-server-group (Inside) LOCAL

tunnel-group Vendors webvpn-attributes

 group-alias Vendors enable

!

class-map inspection_default

 match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

 parameters

  message-length maximum 512

policy-map global_policy

 class inspection_default

  inspect dns migrated_dns_map_1 

  inspect ftp 

  inspect h323 h225 

  inspect h323 ras 

  inspect rsh 

  inspect rtsp 

  inspect esmtp 

  inspect sqlnet 

  inspect skinny  

  inspect sunrpc 

  inspect xdmcp 

  inspect sip  

  inspect netbios 

  inspect tftp 

!

service-policy global_policy global

smtp-server 10.0.0.4

prompt hostname context 

Cryptochecksum:e085db01e0bd4b96f07cfbc7fc1aae14

: end

asdm image disk0:/asdm-61551.bin

asdm location 10.0.0.33 255.255.255.255 Inside

asdm location 10.1.40.0 255.255.255.0 Inside

asdm location 192.168.50.0 255.255.255.0 Inside

no asdm history enable

Open in new window

0
Comment
Question by:SihleIns
  • 2
5 Comments
 
LVL 16

Expert Comment

by:2PiFL
Comment Utility
I create a tunnel group for the each individual with their own ACL.  We don't get many requests for "outside" people to access our network, so this works for us.

Here's a doc on creating ACL's on the Pix and ASA.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml#maintask1
0
 
LVL 10

Expert Comment

by:stsonline
Comment Utility
You need a group-policy and a tunnel-group specific to the vendor and a defined ACL with the hosts and/or nets you want the user to be able to access, then create the user(s) and put the user(s) into the group - here's an example:

group-policy vendor-mainline internal
group-policy vendor-mainline attributes
vpn-filter value mainline_acl

username vendor-mainline attributes
vpn-group-policy vendor-mainline
vpn-filter value mainline_acl

tunnel-group vendor-mainline type ipsec-ra

tunnel-group vendor-mainline general-attributes
default-group-policy vendor-mainline

access-list mainline_acl extended permit ip any host 172.16.1.100
access-list mainline_acl extended permit ip any 192.168.2.0 255.255.255.0
0
 

Author Comment

by:SihleIns
Comment Utility
The ASA keeps giving me "Invalid input detected" when I try either one of these commands
vpn-filter value mainline_acl (this one says the error is at the f in filter)
username vendor-mainline attributes (this one says the error is at the n in name)
What am I missing?  I have the latest IOS installed on the ASA.
0
 

Accepted Solution

by:
SihleIns earned 0 total points
Comment Utility
I found the answer to my question on Cisco's website.  Both of your posts help point me in the right direction.  Thanks.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702999.shtml#steps


0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Suggested Solutions

Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now