• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 336
  • Last Modified:

How i can restrict vpn access to some selcted users?

Hi,

i have Cisco firewall 5520, and SSL VPN is through the fire wall, and its integrated with my active directory, so evry one can use the SSL VPN service with his own user name and password, i want to restrict the VPN only for slected user?

thanks and Regards
0
EidMajdi
Asked:
EidMajdi
  • 2
1 Solution
 
farazhkhanCommented:
Hi,

You can define individual users property to restrict access for remote or you can create a remote acccess policy for your users. This guide will help you for all the steps: http://www.tech-faq.com/implementing-remote-access-security.shtml

Regards,
Faraz H. Khan
0
 
farazhkhanCommented:
Hi,

In the above guide this is for you:

How to create a remote access policy to authorize access by group
-----------------------------------------------------------------------------------
Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console.
In the console tree, right-click Remote Access Policies and then select New Remote Access Policy from the shortcut menu.
The New Remote Access Policy Wizard starts.
Click Next on the New Remote Access Policy Wizard Welcome page.
When the Policy Configuration Method page appears, select the Use the wizard to set up a typical policy option.
Enter a name in the Policy name box, and then click Next.
On the Access Method page, select between the following options and then click Next: Dial-up, VPN, Wireless or Ethernet.
On the User or Group Access page, select the Group option and then click Add to specify the group name.
Using the Enter the object names to select box, specify the group and then click OK.
Click Next on the User or Group Access page.
On the Authentication Methods page, specify the authentication methods which the policy will accept and then click Next.
On the Policy Encryption Level page, specify the encryption types and then click Next.
Click Finish to create the new remote access policy.

Regards,
Faraz H. Khan
0
 
MikeKaneCommented:
With the latest code on the ASA, you can setup an AD group (i.e. VPN-Users) and add in the users to whom you want to grant VPN permissions.  

Then on the ASA side, since you are already integrated with LDAP, you would need to add a dynamic access policy.  Something similar to:

dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record LDAP-VPN-USERS
 description "Security group VPN-Users Members"
 user-message "You are not identified as an authorized VPN User.  Please contact I.T."
 action terminate

I had to contact TAC when I set that up since its not documented in the Cisco KB yet.   And although it reads "backwards"  it does work in my environment.
I also included a screenshot of the policy since it reads more logically in the ASDM.... This is in REMTOE ACCESS VPN -> Clientless SSL -> Dynamic access policy


dynamic-example.doc
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now