Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Private
  • Views: 113
  • Last Modified:

ACLs per VPN User

Hello Experts,

We have Cisco ASA 5540 terminating VPN sessions and using local user database on ASA for VPN users.

We have some 3rd party support companies that need access into the network to a specific server and I would like to lock down the user to specific IPs/ports.

For example, three employees from company need access to different servers.

User1 needs to reach Server 1,2 and 3
User 2 needs needs to reach Server 4,5
User 1 should not reach Server 4,5

Can someone point me in the direction for setting up per user ACL's?
Thanks for any help given.
0
cciedreamer
Asked:
cciedreamer
  • 6
  • 6
1 Solution
 
Michael OrtegaSales & Systems EngineerCommented:
What kind of access to the servers? All IP traffic, specific IP traffic (e.g. RDP)? Are all the users using the same VPN policy?

MO
0
 
cciedreamerAuthor Commented:
Yes they are using Same VPN Group Policy and access to servers is specific like ssh,telnet,RDP etc. for every individual VPN users
0
 
Michael OrtegaSales & Systems EngineerCommented:
Since you're using the ASA's local user database I would suggest that you set each users' attributes to use "vpn-framed-ip-address" so that they get the same IP when they connect. You can then write an ACL to only permit the traffic through that's appropriate for each user.

For example, assuming the VPN subnet in question is 10.10.10.0/24 and the local private subnet where the servers are located is 172.16.1.0/24:

object network HOST_SERVER1
 host 172.16.1.10
!
object network HOST_SERVER2
 host 172.16.1.11
!
object network HOST_VPNUSER1
 host 10.10.10.10
!
object network HOST_VPNUSER2
 host 10.10.10.11
!
username USER1 attributes
 vpn-framed-ip-address 10.10.10.10
!
username USER2 attributes
 vpn-framed-ip-address 10.10.10.11
!
access-list SplitTunnelACL extended permit tcp object HOST_VPNUSER1 object HOST_SERVER1 eq 22
access-list SplitTunnelACL extended permit tcp object HOST_VPNUSER2 object HOST_SERVER2 eq 3389
!

etc. etc. etc.

What you don't give explicit access to will be denied. I would recommend that you keep vendors on one tunnel-group/group-policy and your actual internal staff/users on another. It's best practice to do that and it makes managing the ACLs a little easier and cleaner.

MO
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
cciedreamerAuthor Commented:
Thanks Michael for an excellent suggestion

to recap

I have a Company A and this company has 3 VPN users, each will have its own VPN IP address from the pool

cciedreamer1  - 192.168.50.2
cciedreamer2  - 192.168.50.3
cciedreamer3 - 192.168.50.4

cciedreamer1 needs to access the servers 10.1.2.2/TCP22, 10.1.2.10/TCP80,443,9001 and 10.1.2.11/TCP3389

cciedreamer2 needs to access the servers 10.1.2.11/TCP3389,10.1.2.12/TCP23

cciedreamer3 needs to access the servers 10.1.2.20/TCP21,10.1.2.21/TCP5040, 10.1.2.22/TCP9282

As per your above example, can you please put them with actual config

Thanks for your time and help
0
 
Michael OrtegaSales & Systems EngineerCommented:
My only suggestion about the below is that instead of using an object name that contains the IP address, use a name that matches either the hostname of the server or the role that the server serves, e.g. HOST_EXCHANGE or HOST_MAILSERV1, etc.

This assumes that you already have a no-NAT statement between your VPN network and the private LAN in question and that you are permitting split tunneling in your group policy.

object network HOST_10.1.2.2
 host 10.1.2.2
!
object network HOST_10.1.2.10
 host 10.1.2.10
!
object network HOST_10.1.2.11
 host 10.1.2.11
!
object network HOST_10.1.2.12
 host 10.1.2.12
!
object network HOST_10.1.2.20
 host 10.1.2.20
!
object network HOST_10.1.2.21
 host 10.1.2.21
!
object network HOST_10.1.2.22
 host 10.1.2.22
!
object network HOST_CCIEDREAMER1
 host 192.168.50.2
!
object network HOST_CCIEDREAMER2
 host 192.168.50.3
!
object network HOST_CCIEDREAMER3
 host 192.168.50.4
!
object-group service SERVICES_10.1.2.10 tcp
 port-object eq 80
 port-object eq 443
 port-object eq 9001
!
object-group network HOST_10.1.2.11_RDPUSERS
 network-object object HOST_CCIEDREAMER1
 network-object object HOST_CCIEDREAMER2
!
access-list SplitTunnelACL extended permit tcp object HOST_CCIEDREAMER1 object HOST_10.1.2.2 eq 22
access-list SplitTunnelACL extended permit tcp object HOST_CCIEDREAMER1 object HOST_10.1.2.10 object-group SERVICES_10.1.2.10
access-list SplitTunnelACL extended permit tcp object-group HOST_10.1.2.11_RDPUSERS object HOST_10.1.2.11 eq 3389
access-list SplitTunnelACL extended permit tcp object HOST_CCIEDREAMER2 object HOST_10.1.2.12 eq 23
access-list SplitTunnelACL extended permit tcp object HOST_CCIEDREAMER3 object HOST_10.1.2.20 eq 21
access-list SplitTunnelACL extended permit tcp object HOST_CCIEDREAMER3 object HOST_10.1.2.21 eq 5040
access-list SplitTunnelACL extended permit tcp object HOST_CCIEDREAMER3 object HOST_10.1.2.22 eq 9282

MO
0
 
cciedreamerAuthor Commented:
Finally I came up with this

VPN Subnet : 10.10.10.0/23
Servers Subnet :172.16.1.0/24

OBJ_10.10.10.2_VPNHOST
host 10.10.10.2

OBJ_10.10.10.2_VPNHOST_T0_SERVERS
host 172.16.1.1
host 272.16.1.2


OBJ_10.10.10.2_VPNHOST_SERVICES tcp
port-object 22
port-object 3389

access-list COMPANYA extended permit tcp object OBJ_10.10.10.2_VPNHOST object-group OBJ_10.10.10.2_VPNHOST_T0_SERVERS object-group OBJ_10.10.10.2_VPNHOST_SERVICES

Whats your opinion ? Appreciating your suggestions on this
0
 
Michael OrtegaSales & Systems EngineerCommented:
Ok, that allows 1 VPN user to connect to two private servers on the 2 service ports listed. Is that all you're trying to do?

MO
0
 
cciedreamerAuthor Commented:
Yes for the another second user if requires to access same server then I would do same

VPN Subnet : 10.10.10.0/23
Servers Subnet :172.16.1.0/24

OBJ_10.10.10.3_VPNHOST
host 10.10.10.3

OBJ_10.10.10.3_VPNHOST_T0_SERVERS
host 172.16.1.1
host 172.16.1.2


OBJ_10.10.10.3_VPNHOST_SERVICES tcp
port-object 22
port-object 3389

access-list COMPANYA extended permit tcp object OBJ_10.10.10.3_VPNHOST object-group OBJ_10.10.10.3_VPNHOST_T0_SERVERS object-group OBJ_10.10.10.3_VPNHOST_SERVICES
0
 
cciedreamerAuthor Commented:
Please advise if you more better suggestions
0
 
Michael OrtegaSales & Systems EngineerCommented:
I don't understand. You gave me specific requirements and I replied with the exact syntax for your configuration request. Then you sent me some proposed syntax for a different configuration?

What do you need exactly?

MO
0
 
cciedreamerAuthor Commented:
I followed your first suggestion and came with some changes in the configuration I just need to know do you think this configuration is  appropriate and standard.
0
 
Michael OrtegaSales & Systems EngineerCommented:
If your goal is to allow on VPN user to connect to 2 servers via SSH and RDP, the configuration is fine.

MO
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now