Cisco ASA SSL VPN question

Hi Cisco experts,
    Hope someone can point me to the right direction on this. thanks.
    We use ASA5510 for VPN (Anyconnect, not IPSec), and authentication is done by RSA SecurID appliance. Every user has it's own RSA token and are allowed to VPN in.
    Now we need to setup another SSL VPN profile, for one department (dev) only. When users from dev department connect through this profile, they will have access to a dev network.
    All the network/routing/rule part have been setup correctly, but because of Anyconnect, every user (no matter in Dev department or not) will be able to see the profile for dev. And if they try, they will successfully connect.
    My question is, how do I control only Dev people can connect through the dev vpn profile? Thanks.
LVL 18
flyingskyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jody LemoineNetwork ArchitectCommented:
One option is to ensure that only the dev people have split tunnel entries for the dev network.  This can be done in the RADIUS server (so it would have to be done on the SecurID server) by adding Cisco-AV-Pair (attribute=5000, type=string) entries to the RADIUS server for a group or for individual accounts.  For each network you want the group or account to have access to, add an entry in the format "webvpn:split-include=a.a.a.a m.m.m.m" where a.a.a.a is the network address and m.m.m.m is the subnet mask.  When these entries are present, they replace the split tunnel defaults for the profile, so make sure you include *all* networks that should be accessed rather than just those that should be accessed in addition to the defaults.  This will also permit you to run with a single SSL VPN profile rather than two.
0
flyingskyAuthor Commented:
Hi Jodylemoine,
        thank you for your help. One thing I want to point out is, when we create the second SSL VPN profile, we didn't use split tunnel to control which network they can access, rather we are using something called "Filter" (in ASDM). So will your suggestion still work? If you think so, I will give it a try sometime soon.
0
Jody LemoineNetwork ArchitectCommented:
I'm not all that familiar with ASDM as I normally do all my work from the CLI.  I would look at the firewall's configuration and see if there are split tunnel entries to match the ASDM filter arguments.  If so, then you've got a match.  I *suspect* that the filter is actually a permit/deny ACL though.

I would remove the filter and try split tunnels to see if they accomplish what you're looking for.  Application of ACLs to AnyConnect profiles are usually used to restrict traffic within the tunnel rather than defining what can go over the tunnel.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

flyingskyAuthor Commented:
Hi Jodylemoine,
    Are you sure those cisco-av-pair string will "replace" the split-tunnel for the profile?
    I have configured my RSA RADIUS server to reture the following
    webvpn:split-include=10.180.1.0 255.255.255.0
    but it's not working at expected.
    Thanks.


   
0
Jody LemoineNetwork ArchitectCommented:
What VPN routes are being reported by the clients when you add the split-include is added?
0
flyingskyAuthor Commented:
how do I find out?
0
Jody LemoineNetwork ArchitectCommented:
When you bring the AnyConnect Client window up, the routes should be listed in the connection details.
0
flyingskyAuthor Commented:
routes are configured in the group policy of the VPN profile, not the one in the radius.
0
flyingskyAuthor Commented:
alright, we finally found a solution. In stead of returning "webvpn", we setup the RSA RADIUS to return an ou name, then created matching group policy to control split tunnelling. this solved our problem. thank you for your help.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jody LemoineNetwork ArchitectCommented:
Hey flyingsky, I'd be very interested in further details on your approach.  It sounds interesting.
0
Jody LemoineNetwork ArchitectCommented:
While the specific implementation advised was not the ultimate solution used by the question's author, the implementation of RADIUS-based tagging to control split tunnelling was in line with my original suggestion.  If the question's author was able to find a solution himself based on being pointed in the correct direction by my advice as he indicates in his close request, then the answer is worth being accepted with a "B" grade rather than being closed with no points awarded.
0
flyingskyAuthor Commented:
Hi Jodylemoine,
    I think there's a mis communication somewhere. I did award you 250 points for giving me direction, I don't know why you said no points awarded.
    I myself is a qualified expert for this site so I understand it is fair to get rewarded for all the hard work.
0
Jody LemoineNetwork ArchitectCommented:
Hey flyingsky.  Something didn't show up correctly then as no 250-point message came through and the close message said 0 points.  Not sure what's up there.
0
Jody LemoineNetwork ArchitectCommented:
Okay... looking at it closer, the 250-point assist showed up in the objection ticket, but not in the close request or in any of the update emails that I received.  Sorry for proceeding with not enough information there.  Want to try closing it the same way again and I'll just assume that everything will go through properly?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.