Cisco ASA SSL VPN question

Hi Cisco experts,
    Hope someone can point me to the right direction on this. thanks.
    We use ASA5510 for VPN (Anyconnect, not IPSec), and authentication is done by RSA SecurID appliance. Every user has it's own RSA token and are allowed to VPN in.
    Now we need to setup another SSL VPN profile, for one department (dev) only. When users from dev department connect through this profile, they will have access to a dev network.
    All the network/routing/rule part have been setup correctly, but because of Anyconnect, every user (no matter in Dev department or not) will be able to see the profile for dev. And if they try, they will successfully connect.
    My question is, how do I control only Dev people can connect through the dev vpn profile? Thanks.
LVL 18
flyingskyAsked:
Who is Participating?
 
flyingskyAuthor Commented:
alright, we finally found a solution. In stead of returning "webvpn", we setup the RSA RADIUS to return an ou name, then created matching group policy to control split tunnelling. this solved our problem. thank you for your help.
0
 
Jody LemoineNetwork ArchitectCommented:
One option is to ensure that only the dev people have split tunnel entries for the dev network.  This can be done in the RADIUS server (so it would have to be done on the SecurID server) by adding Cisco-AV-Pair (attribute=5000, type=string) entries to the RADIUS server for a group or for individual accounts.  For each network you want the group or account to have access to, add an entry in the format "webvpn:split-include=a.a.a.a m.m.m.m" where a.a.a.a is the network address and m.m.m.m is the subnet mask.  When these entries are present, they replace the split tunnel defaults for the profile, so make sure you include *all* networks that should be accessed rather than just those that should be accessed in addition to the defaults.  This will also permit you to run with a single SSL VPN profile rather than two.
0
 
flyingskyAuthor Commented:
Hi Jodylemoine,
        thank you for your help. One thing I want to point out is, when we create the second SSL VPN profile, we didn't use split tunnel to control which network they can access, rather we are using something called "Filter" (in ASDM). So will your suggestion still work? If you think so, I will give it a try sometime soon.
0
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

 
Jody LemoineNetwork ArchitectCommented:
I'm not all that familiar with ASDM as I normally do all my work from the CLI.  I would look at the firewall's configuration and see if there are split tunnel entries to match the ASDM filter arguments.  If so, then you've got a match.  I *suspect* that the filter is actually a permit/deny ACL though.

I would remove the filter and try split tunnels to see if they accomplish what you're looking for.  Application of ACLs to AnyConnect profiles are usually used to restrict traffic within the tunnel rather than defining what can go over the tunnel.
0
 
flyingskyAuthor Commented:
Hi Jodylemoine,
    Are you sure those cisco-av-pair string will "replace" the split-tunnel for the profile?
    I have configured my RSA RADIUS server to reture the following
    webvpn:split-include=10.180.1.0 255.255.255.0
    but it's not working at expected.
    Thanks.


   
0
 
Jody LemoineNetwork ArchitectCommented:
What VPN routes are being reported by the clients when you add the split-include is added?
0
 
flyingskyAuthor Commented:
how do I find out?
0
 
Jody LemoineNetwork ArchitectCommented:
When you bring the AnyConnect Client window up, the routes should be listed in the connection details.
0
 
flyingskyAuthor Commented:
routes are configured in the group policy of the VPN profile, not the one in the radius.
0
 
Jody LemoineNetwork ArchitectCommented:
Hey flyingsky, I'd be very interested in further details on your approach.  It sounds interesting.
0
 
Jody LemoineNetwork ArchitectCommented:
While the specific implementation advised was not the ultimate solution used by the question's author, the implementation of RADIUS-based tagging to control split tunnelling was in line with my original suggestion.  If the question's author was able to find a solution himself based on being pointed in the correct direction by my advice as he indicates in his close request, then the answer is worth being accepted with a "B" grade rather than being closed with no points awarded.
0
 
flyingskyAuthor Commented:
Hi Jodylemoine,
    I think there's a mis communication somewhere. I did award you 250 points for giving me direction, I don't know why you said no points awarded.
    I myself is a qualified expert for this site so I understand it is fair to get rewarded for all the hard work.
0
 
Jody LemoineNetwork ArchitectCommented:
Hey flyingsky.  Something didn't show up correctly then as no 250-point message came through and the close message said 0 points.  Not sure what's up there.
0
 
Jody LemoineNetwork ArchitectCommented:
Okay... looking at it closer, the 250-point assist showed up in the objection ticket, but not in the close request or in any of the update emails that I received.  Sorry for proceeding with not enough information there.  Want to try closing it the same way again and I'll just assume that everything will go through properly?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.