AnyConnect to DMZ

XorgeD
XorgeD used Ask the Experts™
on
Hi,

I am new to the ASA, I need some help with the following

I need an SSL VPN client to access only a particular DMZ Sub interface/VLAN, I have several. Some of my internal servers access some servers on the DMZ with no problem there, each DMZ VLAN has NAT so every VLAN outputs traffic through a different public IP

I configured the 5520 for SSL VPN, the AnyConnect client is "Connecting", auth is local
the client is receiving an IP from the vpnpool I configured but I don't know how to input the NAT Exemption Rules, Routes or ACL's for the VPN Client to reach the desired VLAN

The idea is to build a config that depending on the user connecting, the SSL VPN tunnels points that connection to the appropriate DMZ/VLAN

Thanks in advance

Xorg
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
to have different clients have different access capabilities I would usually use LDAP authentication and use Group Membership to select the appropriate group policy on the ASA, the group policy can then contain the appropriate ACL

Author

Commented:
This can also be achieved using local authentication, right?
Yes, you can use local authentication for this.

You can create a group policy for each requirement and then select local users when you assign them. The policies are exclusive, you can only assign one of them to a user/group.

You can a single split tunnelling rule and a single ACL per group policy. The ACL can of course have multiple accept/deny rules within it.

Author

Commented:
Thanks, That clarified quite a few ideas for me

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial