SihleIns
asked on
How do I restrict VPN VLAN network access by username?
I'm trying to configure my Cisco ASA 5510 to restrict VPN network access to only one VLAN on the internal network by the username used to login. I have a vendor that setup our Audio/Visual equipment and they need remote access to fix programming problems from time to time. I want to either create a username for them on the ASA or on the domain which ever will make this work. Then I need them to only be allowed access to 10.1.40.0 255.255.255.0
I have tried multiple configurations to make this work and the only way I seem to be able to come close is to block access on the Outside interface for the IP range 192.168.50.0 to anything else on the internal network except for 10.1.40.0 since 192.168.50.0 is what range is assigned to the VPN group. This solution then blocks everyone using the VPN and doesn't completely solve my problem.
I have tried assigned an ACL to the VPN group but it doesn't seem to take I must be missing something. I also don't understand completely how a tunnel group works that might be part of my problem.
Here is a little info about how my network is configured.
Internet <----->ASA<---->Cisco 4503<---->LAN
All of my VLAN are configured on the 4503
Thanks in advance for any help you might be able to provide. Here is my current config:
I have tried multiple configurations to make this work and the only way I seem to be able to come close is to block access on the Outside interface for the IP range 192.168.50.0 to anything else on the internal network except for 10.1.40.0 since 192.168.50.0 is what range is assigned to the VPN group. This solution then blocks everyone using the VPN and doesn't completely solve my problem.
I have tried assigned an ACL to the VPN group but it doesn't seem to take I must be missing something. I also don't understand completely how a tunnel group works that might be part of my problem.
Here is a little info about how my network is configured.
Internet <----->ASA<---->Cisco 4503<---->LAN
All of my VLAN are configured on the 4503
Thanks in advance for any help you might be able to provide. Here is my current config:
: Saved
:
ASA Version 8.0(4)
!
hostname Ciscoasa
domain-name corp.domain.com
enable password
passwd
names
dns-guard
!
interface Ethernet0/0
nameif Outside
security-level 0
ip address "Outside IP" 255.255.255.252
!
interface Ethernet0/1
nameif Inside
security-level 100
ip address 10.0.0.253 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
boot system disk0:/asa804-k8.bin
ftp mode passive
dns domain-lookup Outside
dns domain-lookup Inside
dns domain-lookup management
dns server-group DefaultDNS
name-server 10.0.0.2
domain-name corp.domain.com
object-group service RDP tcp
description Terminal Services Connections
port-object range 3389 3389
object-group service IMAP4 tcp-udp
description IMAP4 iPhones
port-object range 143 143
object-group service SSL-IMAP tcp-udp
description SSL IMAP for iPhones
port-object range 993 993
object-group service Inter-tel-5566 tcp
description Inter-tel TCP 5566
port-object eq 5566
object-group service Inter-tel-5567 udp
description Inter-tel UDP 5567
port-object eq 5567
object-group service DM_INLINE_TCP_1 tcp
group-object IMAP4
group-object SSL-IMAP
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_TCP_2 tcp
port-object eq www
port-object eq https
object-group service Blocked-Ports
description Q-Charts Ports 8048 - 8049 unassigned
service-object tcp-udp eq 8048
service-object tcp-udp eq 8049
service-object tcp-udp eq 2189
service-object tcp-udp source eq 23100 eq 23100
service-object tcp-udp source eq 24100 eq 24100
object-group service SSL-VPN tcp-udp
description Cisco SSL VPN Client
port-object eq 444
access-list Outside_access_in extended permit ip 192.168.50.0 255.255.255.0 10.1.40.0 255.255.255.0
access-list Outside_access_in extended permit ip 192.168.50.0 255.255.255.0 any inactive
access-list Outside_access_in remark Terminal Server Connections
access-list Outside_access_in extended permit tcp any interface Outside object-group RDP
access-list Outside_access_in remark Inscope Website
access-list Outside_access_in extended permit tcp any interface Outside eq 8081
access-list Outside_access_in remark SMTP Postini Inbound to SihleExchange
access-list Outside_access_in extended permit tcp 64.18.0.0 255.255.240.0 interface Outside eq smtp
access-list Outside_access_in remark SSL IMAP iPhones
access-list Outside_access_in extended permit tcp any interface Outside object-group DM_INLINE_TCP_1 inactive
access-list Outside_access_in remark Outlook Web Access SSL Connection
access-list Outside_access_in extended permit tcp any interface Outside object-group DM_INLINE_TCP_2
access-list Outside_access_in remark Inter-tel TCP Port 5566
access-list Outside_access_in extended permit tcp any interface Outside eq 5566
access-list Outside_access_in remark Inter-tel TCP Port 5567
access-list Outside_access_in extended permit udp any interface Outside eq 5567
access-list Outside_access_in remark IP Phone Audio
access-list Outside_access_in extended permit udp any interface Outside range 5000 5565
access-list Inside_access_in remark SMTP Outbound SihleExchange
access-list Inside_access_in extended permit tcp host 10.0.0.4 64.18.0.0 255.255.240.0 eq smtp
access-list Inside_access_in remark Block All Outbound SMTP Traffic
access-list Inside_access_in extended deny tcp any any eq smtp
access-list Inside_access_in remark Block AOL Instant Messenger
access-list Inside_access_in extended deny tcp any any eq aol inactive
access-list Inside_access_in remark Q-Charts
access-list Inside_access_in extended deny object-group Blocked-Ports any any
access-list Inside_access_in extended permit ip any any
access-list VPN_Clients remark VPN Clients
access-list VPN_Clients extended permit ip any 192.168.25.0 255.255.255.0
access-list VPN_Clients extended permit ip any 192.168.50.0 255.255.255.0
access-list Audio_Visual_VLAN_Only remark VLAN 40 Access Only
access-list Audio_Visual_VLAN_Only standard permit 10.1.40.0 255.255.255.0
access-list Audio_Visual_VLAN_Only remark No Access
access-list Audio_Visual_VLAN_Only standard deny any
pager lines 24
logging enable
logging list Custom-Log level debugging
logging asdm warnings
logging from-address ASA5510@domain.com
logging recipient-address email@address.com level emergencies
logging facility 16
logging debug-trace
logging ftp-server 10.0.0.248 ASA5510
mtu Outside 1500
mtu Inside 1500
mtu management 1500
ip local pool VPN 192.168.25.100-192.168.25.150 mask 255.255.255.0
ip local pool Vendors 192.168.50.100-192.168.50.105 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-61551.bin
no asdm history enable
arp timeout 14400
nat-control
global (Outside) 1 interface
nat (Inside) 0 access-list VPN_Clients
nat (Inside) 0 192.168.25.0 255.255.255.0
nat (Inside) 1 0.0.0.0 0.0.0.0
static (Inside,Outside) tcp interface 3389 10.0.0.3 3389 netmask 255.255.255.255
static (Inside,Outside) tcp interface 8081 10.0.0.11 8081 netmask 255.255.255.255
static (Inside,Outside) tcp interface smtp 10.0.0.4 smtp netmask 255.255.255.255
static (Inside,Outside) tcp interface www 10.0.0.4 www netmask 255.255.255.255
static (Inside,Outside) tcp interface https 10.0.0.4 https netmask 255.255.255.255
static (Inside,Outside) tcp interface 993 10.0.0.4 993 netmask 255.255.255.255
static (Inside,Outside) udp interface 993 10.0.0.4 993 netmask 255.255.255.255
static (Inside,Outside) tcp interface imap4 10.0.0.4 imap4 netmask 255.255.255.255
static (Inside,Outside) udp interface 143 10.0.0.4 143 netmask 255.255.255.255
access-group Outside_access_in in interface Outside
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 209.16.116.125 10
route Inside 10.0.4.0 255.255.255.0 10.0.0.254 1
route Inside 10.1.2.0 255.255.255.0 10.0.0.254 1
route Inside 10.1.5.0 255.255.255.0 10.0.0.254 1
route Inside 10.1.12.0 255.255.255.0 10.1.12.1 1
route Inside 10.1.15.0 255.255.255.0 10.1.15.1 1
route Inside 10.1.20.0 255.255.255.0 10.1.20.1 1
route Inside 10.1.35.0 255.255.255.0 10.1.35.1 1
route Inside 10.1.40.0 255.255.255.0 10.1.40.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server 10.0.0.2 protocol radius
aaa-server 10.0.0.2 (Inside) host Sihle-DC
key
radius-common-pw
aaa-server Sihle-Domain protocol nt
aaa-server Sihle-Domain (Inside) host Sihle-DC
nt-auth-domain-controller Sihle-DC
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.255.255.0 Inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
fqdn Ciscoasa.corp.domain.com
subject-name CN=Ciscoasa.corp.domain.com
keypair key
crl configure
crypto ca server
shutdown
crypto ca certificate chain ASDM_TrustPoint0
certificate 31
30820208 30820171 a0030201 02020131 300d0609 2a864886 f70d0101 04050030
quit
crypto isakmp enable Outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet 10.0.0.0 255.255.255.0 Inside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 10.0.0.2 10.0.0.5
dhcpd wins 10.0.0.2 10.0.0.2
dhcpd domain corp.domain.com
!
dhcpd address 192.168.1.2-192.168.1.254 management
!
vpn load-balancing
interface lbpublic Inside
interface lbprivate Inside
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 Outside
webvpn
port 444
enable Outside
dtls port 444
csd image disk0:/csd_3.4.1108.pkg
csd enable
svc image disk0:/anyconnect-win-2.3.0254-k9.pkg 2
svc enable
tunnel-group-list enable
internal-password enable
group-policy DfltGrpPolicy attributes
wins-server value 10.0.0.2
dns-server value 10.0.0.2 10.0.0.5
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy Vendors internal
group-policy Vendors attributes
banner value This network is intended for private use only.
vpn-tunnel-protocol IPSec svc webvpn
group-lock value Vendors
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Audio_Visual_VLAN_Only
address-pools value Vendors
username encrypted privilege 0
username attributes
vpn-group-policy DfltGrpPolicy
tunnel-group Employees type remote-access
tunnel-group Employees general-attributes
address-pool (Inside) VPN
authentication-server-group Sihle-Domain
tunnel-group Employees webvpn-attributes
group-alias Employees enable
tunnel-group Vendors type remote-access
tunnel-group Vendors general-attributes
address-pool (Inside) Vendors
address-pool Vendors
authentication-server-group Sihle-Domain
authentication-server-group (Inside) LOCAL
tunnel-group Vendors webvpn-attributes
group-alias Vendors enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
smtp-server 10.0.0.4
prompt hostname context
Cryptochecksum:e085db01e0bd4b96f07cfbc7fc1aae14
: end
asdm image disk0:/asdm-61551.bin
asdm location 10.0.0.33 255.255.255.255 Inside
asdm location 10.1.40.0 255.255.255.0 Inside
asdm location 192.168.50.0 255.255.255.0 Inside
no asdm history enable
You need a group-policy and a tunnel-group specific to the vendor and a defined ACL with the hosts and/or nets you want the user to be able to access, then create the user(s) and put the user(s) into the group - here's an example:
group-policy vendor-mainline internal
group-policy vendor-mainline attributes
vpn-filter value mainline_acl
username vendor-mainline attributes
vpn-group-policy vendor-mainline
vpn-filter value mainline_acl
tunnel-group vendor-mainline type ipsec-ra
tunnel-group vendor-mainline general-attributes
default-group-policy vendor-mainline
access-list mainline_acl extended permit ip any host 172.16.1.100
access-list mainline_acl extended permit ip any 192.168.2.0 255.255.255.0
group-policy vendor-mainline internal
group-policy vendor-mainline attributes
vpn-filter value mainline_acl
username vendor-mainline attributes
vpn-group-policy vendor-mainline
vpn-filter value mainline_acl
tunnel-group vendor-mainline type ipsec-ra
tunnel-group vendor-mainline general-attributes
default-group-policy vendor-mainline
access-list mainline_acl extended permit ip any host 172.16.1.100
access-list mainline_acl extended permit ip any 192.168.2.0 255.255.255.0
ASKER
The ASA keeps giving me "Invalid input detected" when I try either one of these commands
vpn-filter value mainline_acl (this one says the error is at the f in filter)
username vendor-mainline attributes (this one says the error is at the n in name)
What am I missing? I have the latest IOS installed on the ASA.
vpn-filter value mainline_acl (this one says the error is at the f in filter)
username vendor-mainline attributes (this one says the error is at the n in name)
What am I missing? I have the latest IOS installed on the ASA.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Here's a doc on creating ACL's on the Pix and ASA.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080702992.shtml#maintask1