ACLs per VPN User

Hello Experts,

We have Cisco ASA 5540 terminating VPN sessions and using local user database on ASA for VPN users.

We have some 3rd party support companies that need access into the network to a specific server and I would like to lock down the user to specific IPs/ports.

For example, three employees from company need access to different servers.

User1 needs to reach Server 1,2 and 3
User 2 needs needs to reach Server 4,5
User 1 should not reach Server 4,5

Can someone point me in the direction for setting up per user ACL's?
Thanks for any help given.
LVL 3
cciedreamerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael OrtegaSales & Systems EngineerCommented:
What kind of access to the servers? All IP traffic, specific IP traffic (e.g. RDP)? Are all the users using the same VPN policy?

MO
0
cciedreamerAuthor Commented:
Yes they are using Same VPN Group Policy and access to servers is specific like ssh,telnet,RDP etc. for every individual VPN users
0
Michael OrtegaSales & Systems EngineerCommented:
Since you're using the ASA's local user database I would suggest that you set each users' attributes to use "vpn-framed-ip-address" so that they get the same IP when they connect. You can then write an ACL to only permit the traffic through that's appropriate for each user.

For example, assuming the VPN subnet in question is 10.10.10.0/24 and the local private subnet where the servers are located is 172.16.1.0/24:

object network HOST_SERVER1
 host 172.16.1.10
!
object network HOST_SERVER2
 host 172.16.1.11
!
object network HOST_VPNUSER1
 host 10.10.10.10
!
object network HOST_VPNUSER2
 host 10.10.10.11
!
username USER1 attributes
 vpn-framed-ip-address 10.10.10.10
!
username USER2 attributes
 vpn-framed-ip-address 10.10.10.11
!
access-list SplitTunnelACL extended permit tcp object HOST_VPNUSER1 object HOST_SERVER1 eq 22
access-list SplitTunnelACL extended permit tcp object HOST_VPNUSER2 object HOST_SERVER2 eq 3389
!

etc. etc. etc.

What you don't give explicit access to will be denied. I would recommend that you keep vendors on one tunnel-group/group-policy and your actual internal staff/users on another. It's best practice to do that and it makes managing the ACLs a little easier and cleaner.

MO
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

cciedreamerAuthor Commented:
Thanks Michael for an excellent suggestion

to recap

I have a Company A and this company has 3 VPN users, each will have its own VPN IP address from the pool

cciedreamer1  - 192.168.50.2
cciedreamer2  - 192.168.50.3
cciedreamer3 - 192.168.50.4

cciedreamer1 needs to access the servers 10.1.2.2/TCP22, 10.1.2.10/TCP80,443,9001 and 10.1.2.11/TCP3389

cciedreamer2 needs to access the servers 10.1.2.11/TCP3389,10.1.2.12/TCP23

cciedreamer3 needs to access the servers 10.1.2.20/TCP21,10.1.2.21/TCP5040, 10.1.2.22/TCP9282

As per your above example, can you please put them with actual config

Thanks for your time and help
0
Michael OrtegaSales & Systems EngineerCommented:
My only suggestion about the below is that instead of using an object name that contains the IP address, use a name that matches either the hostname of the server or the role that the server serves, e.g. HOST_EXCHANGE or HOST_MAILSERV1, etc.

This assumes that you already have a no-NAT statement between your VPN network and the private LAN in question and that you are permitting split tunneling in your group policy.

object network HOST_10.1.2.2
 host 10.1.2.2
!
object network HOST_10.1.2.10
 host 10.1.2.10
!
object network HOST_10.1.2.11
 host 10.1.2.11
!
object network HOST_10.1.2.12
 host 10.1.2.12
!
object network HOST_10.1.2.20
 host 10.1.2.20
!
object network HOST_10.1.2.21
 host 10.1.2.21
!
object network HOST_10.1.2.22
 host 10.1.2.22
!
object network HOST_CCIEDREAMER1
 host 192.168.50.2
!
object network HOST_CCIEDREAMER2
 host 192.168.50.3
!
object network HOST_CCIEDREAMER3
 host 192.168.50.4
!
object-group service SERVICES_10.1.2.10 tcp
 port-object eq 80
 port-object eq 443
 port-object eq 9001
!
object-group network HOST_10.1.2.11_RDPUSERS
 network-object object HOST_CCIEDREAMER1
 network-object object HOST_CCIEDREAMER2
!
access-list SplitTunnelACL extended permit tcp object HOST_CCIEDREAMER1 object HOST_10.1.2.2 eq 22
access-list SplitTunnelACL extended permit tcp object HOST_CCIEDREAMER1 object HOST_10.1.2.10 object-group SERVICES_10.1.2.10
access-list SplitTunnelACL extended permit tcp object-group HOST_10.1.2.11_RDPUSERS object HOST_10.1.2.11 eq 3389
access-list SplitTunnelACL extended permit tcp object HOST_CCIEDREAMER2 object HOST_10.1.2.12 eq 23
access-list SplitTunnelACL extended permit tcp object HOST_CCIEDREAMER3 object HOST_10.1.2.20 eq 21
access-list SplitTunnelACL extended permit tcp object HOST_CCIEDREAMER3 object HOST_10.1.2.21 eq 5040
access-list SplitTunnelACL extended permit tcp object HOST_CCIEDREAMER3 object HOST_10.1.2.22 eq 9282

MO
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cciedreamerAuthor Commented:
Finally I came up with this

VPN Subnet : 10.10.10.0/23
Servers Subnet :172.16.1.0/24

OBJ_10.10.10.2_VPNHOST
host 10.10.10.2

OBJ_10.10.10.2_VPNHOST_T0_SERVERS
host 172.16.1.1
host 272.16.1.2


OBJ_10.10.10.2_VPNHOST_SERVICES tcp
port-object 22
port-object 3389

access-list COMPANYA extended permit tcp object OBJ_10.10.10.2_VPNHOST object-group OBJ_10.10.10.2_VPNHOST_T0_SERVERS object-group OBJ_10.10.10.2_VPNHOST_SERVICES

Whats your opinion ? Appreciating your suggestions on this
0
Michael OrtegaSales & Systems EngineerCommented:
Ok, that allows 1 VPN user to connect to two private servers on the 2 service ports listed. Is that all you're trying to do?

MO
0
cciedreamerAuthor Commented:
Yes for the another second user if requires to access same server then I would do same

VPN Subnet : 10.10.10.0/23
Servers Subnet :172.16.1.0/24

OBJ_10.10.10.3_VPNHOST
host 10.10.10.3

OBJ_10.10.10.3_VPNHOST_T0_SERVERS
host 172.16.1.1
host 172.16.1.2


OBJ_10.10.10.3_VPNHOST_SERVICES tcp
port-object 22
port-object 3389

access-list COMPANYA extended permit tcp object OBJ_10.10.10.3_VPNHOST object-group OBJ_10.10.10.3_VPNHOST_T0_SERVERS object-group OBJ_10.10.10.3_VPNHOST_SERVICES
0
cciedreamerAuthor Commented:
Please advise if you more better suggestions
0
Michael OrtegaSales & Systems EngineerCommented:
I don't understand. You gave me specific requirements and I replied with the exact syntax for your configuration request. Then you sent me some proposed syntax for a different configuration?

What do you need exactly?

MO
0
cciedreamerAuthor Commented:
I followed your first suggestion and came with some changes in the configuration I just need to know do you think this configuration is  appropriate and standard.
0
Michael OrtegaSales & Systems EngineerCommented:
If your goal is to allow on VPN user to connect to 2 servers via SSH and RDP, the configuration is fine.

MO
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.