• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 340
  • Last Modified:

How i can restrict vpn access to some selcted users?


i have Cisco firewall 5520, and SSL VPN is through the fire wall, and its integrated with my active directory, so evry one can use the SSL VPN service with his own user name and password, i want to restrict the VPN only for slected user?

thanks and Regards
  • 2
1 Solution

You can define individual users property to restrict access for remote or you can create a remote acccess policy for your users. This guide will help you for all the steps: http://www.tech-faq.com/implementing-remote-access-security.shtml

Faraz H. Khan

In the above guide this is for you:

How to create a remote access policy to authorize access by group
Click Start, Administrative Tools, and then select Routing And Remote Access to open the Routing And Remote Access console.
In the console tree, right-click Remote Access Policies and then select New Remote Access Policy from the shortcut menu.
The New Remote Access Policy Wizard starts.
Click Next on the New Remote Access Policy Wizard Welcome page.
When the Policy Configuration Method page appears, select the Use the wizard to set up a typical policy option.
Enter a name in the Policy name box, and then click Next.
On the Access Method page, select between the following options and then click Next: Dial-up, VPN, Wireless or Ethernet.
On the User or Group Access page, select the Group option and then click Add to specify the group name.
Using the Enter the object names to select box, specify the group and then click OK.
Click Next on the User or Group Access page.
On the Authentication Methods page, specify the authentication methods which the policy will accept and then click Next.
On the Policy Encryption Level page, specify the encryption types and then click Next.
Click Finish to create the new remote access policy.

Faraz H. Khan
With the latest code on the ASA, you can setup an AD group (i.e. VPN-Users) and add in the users to whom you want to grant VPN permissions.  

Then on the ASA side, since you are already integrated with LDAP, you would need to add a dynamic access policy.  Something similar to:

dynamic-access-policy-record DfltAccessPolicy
dynamic-access-policy-record LDAP-VPN-USERS
 description "Security group VPN-Users Members"
 user-message "You are not identified as an authorized VPN User.  Please contact I.T."
 action terminate

I had to contact TAC when I set that up since its not documented in the Cisco KB yet.   And although it reads "backwards"  it does work in my environment.
I also included a screenshot of the policy since it reads more logically in the ASDM.... This is in REMTOE ACCESS VPN -> Clientless SSL -> Dynamic access policy

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now