Cisco VPN :: ASA 8.2.x - Control Access To Different Group Policies On VPN?
Mar 22, 2010
Using Microsoft IAS as the auth server, how do I get the ASA (v.8.2.1) to take different user groups defined in AD, and control access to different group policies on the VPN? We're setting up the ASA for many different vendors, and need to control access for each vendor with different policy.
For example, Vendor one is in AD group Vendor1 and will only be permitted access to a specific group of defined IPs in our network. Vendor two is in AD group Vendor2 and will only be permitted access to a different group of defined IPs in our network from Vendor1.
View 12 Replies
ADVERTISEMENT
Jan 9, 2010
I'm trying to block internet access to a range of IP addresses using the Access Control function of the DIR-655 router. Unfortunately, the router does not allow me to block a range of IPs. Instead, I can only create policies based upon individual IPs or MAC addresses. I have over 60 machines I want to block Internet access and I'd hate to have to type them in individually. How do I go about blocking all Internet access (HTTP/FTP/email/everything) for a range of IP addresses? They will have to be able to continue to use the internal LAN.
View 3 Replies
View Related
Mar 6, 2011
We have ASA5500's deployed for remote access concentration.We use Cisco IPsec vpn client with a group policy the chacks for Network ICE BlackIce ersonal firewall.The powers-that-be wish to change to McAfee presonal Firewall ok..Now the Group Policy allows you to check for several pre- configured Firewalls, Cisco Integrated, Sygate, Zone Labs etc.So as McAfee are no listed then I am to assume we go for "Custom Firewall" and this is where I am struggling.To configure checking for a Custom Firewall I must have the Vendor ID and the Product ID.McAfee haven't the faintest idea what we're talking about when we ask them for these details.Or is there a way to extract them from the registry of a machine with the McAfee product installed?
View 3 Replies
View Related
May 13, 2012
I've got a Cisco 1841 with 2 FastEthernet ports here. My Cisco isn't great, and I've been given a problem I don't seem to be able to crack.Essentially, I have one network with two sides. I've connected these to fe0/0 and fe0/1 on the router, and put them interfaces into a bridge group which as far as I can tell, essentially makes the router a 2 port switch...I know this won't make a lot of sense from a normal network point of view, but what we need to do is allow all traffic from fe0/0 to fe0/1, but not allow any traffic in the reverse direction. The traffic allowed to flow from fe0/0 to fe0/1 must include broadcast traffic (infact that is the most important traffic, its how the silly theatre application works). None of the traffic is IP addressed.... ie, each of the devices on the network assign themselves an IP address, and then throw broadcast traffic out on to the "dedicated physical network" that exists between them for communication[CODE]
View 2 Replies
View Related
Mar 14, 2013
A bit of a Catch-22 here: I am trying to delete VPN Group Policies but receive the error message that the policy is in use by a particular Connection Profile. When I try to delete the Connection Profile I receive the message that it is in use by a VPN Group Policy..
What else is there to delete or do I have to use the CLI?
View 2 Replies
View Related
Jan 13, 2013
I have a Cisco ASA 5505 that I've setup with an SSL VPN. This is for personal use, and I therefore don't have need for anything more than local authentication. [code]
I'd like to have one profile/policy where I only encrypt data going to my split-tunnel ACL, and I'd like to have one profile/policy where I encrypt all traffic.
The issue ive been fighting is - it doesn't seem like its possible to associate more than one group policy per user. If it IS possible - can you tell me how I associate both groups to my local account?
View 1 Replies
View Related
Mar 15, 2012
We have two device groups ASAs for VPN accessWireless ControllersThere are 2 AAA devices in each group.
We have 4 Identity Stores
ACS Internal User Store - This is used for external suppliers doing SSL VPN on ASAsExternal Radius server - this is a two factor authentication server that in turn looks up our AD and its own internal token database. This is used for IPSEC VPN access for internal employees.We have mapped AD groups - this is used for allowing access for wireless users.LDAP group mapped from other AD domain - used for allowing wireless access to an associated organisation.
Our requirements
We need to create a rule for the VPN access that first of all looks through the ACS internal store - if a user is not found there then it checks the external Radius server. If no users are found there then access is denied.We needto create a similar rule for wireless users so that it will check AD - if a user is not found there then it checks LDAP. If no users are found then access is denied.
View 2 Replies
View Related
Mar 3, 2011
I am trying to configure a Unified Wireless solutions with ACS 5.1 and am having trouble with the access policies. We have corporate laptops authenticating via PEAP and 7921 phones authenticating using EAP-FAST.
I have one access service configured to allow PEAP and authenticate against AD and another access service configured to allow EAP-FAST and authenticate the 7921 phones against the "internal user" database.
I have configured 2 service selection rules. Each one points to one of the access services. The only condition I have currently configured is the "protocol" field to be RADIUS. Because both the 7921 phones and the client laptops are generating RADIUS requests I can only have one EAP type working depending which rule is at the top. Because the RADIUS protocol field is always matched, requests never get past the first rule.
how I modify the rule to be able to distinguis between VoIP handsets on one WLAN and client laaptops on another so that correct access policy is used for each device?
View 5 Replies
View Related
Sep 12, 2012
We just upgraded to ASA 8.4.4.1 and the latest CSD image, 3.6.6203. We currently have a DAP set up to scan one group policy for a secific AV but wanted to start implementing this for all group policies and including several different flavors of AV (so anyone could connect from anywhere as long as a pre-approved AV is installed). We are going to allow about 20 different versions of different AV's and I've tested a couple already and they're successful.
My issue right now is trying to allow (or deny) AV that is installed on an Android tablet (and potentially Apple devices). The tablet has avast Mobile Security installed, and even if I select Vendor: Alwil as a whole, it still does not recognize it and denies the user. I have tested on a PC and it works fine. Is there something that I am missing or are mobile AV programs not included in the DAP policies? Is this going to be considered for future versions of CSD or ASA or are we going to continue to consider Android and Apple devices "secure" and not in need of an AV?
View 3 Replies
View Related
Aug 8, 2011
After updating the firmware of my WRVS4400N from V 2.0.1.3 to 2.0.2.1 all traffic was blocked for all machines, even some not included in the list of PCs. As the log was showing that all traffic was blocked by access policies, I disabled the only rule I had (blocking access to some sites to some MAC address list) and everything worked fine.I tried creating a new, simpler rule but after activation it blocked again all traffic for all the LAN.After many trials, I decided to roll back to the previous V2.0.1.3 which solved this problem.
View 1 Replies
View Related
Jun 7, 2011
I'm trying to set up a S2S VPN between two ASA5505 SP units running ASA Version 8.2(1). I've ordered additional ADSL2 lines to handle this traffic and I'm having troubles with the configuration for the additional PPPoE connection. Here is are extracts from my current config; First the interface vlans
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
[code]....
The result being that I can ping the OUTSIDE interface, but get no reply from the VPN interface. I've checked ADSL lines, they are up. The two PPPoE sessions are logged in and active. I can even see the ICMP packets hit the VPN interface, but there is no reply.
View 1 Replies
View Related
May 16, 2012
I have an E4200 v1 wireless router, F/W 1.0.04.
Article ID 4041 [URL] says I can have up to 10 Internet Access Policies but the web based GUI has a pull down with only 5 possible.
Is 10 policies possible? If so, how?
View 3 Replies
View Related
Nov 27, 2012
We have a small office and already have a firewall in place that uses content filtering. I am looking for a low cost wireless access point that I can place behind my firewall that will allow me to control access by a username and password list, not just the passkey.
Does this exist without having to go to an Aruba or Ruckus type enterprise WIFI product?
View 1 Replies
View Related
Jun 15, 2012
(1) forward range of ports to a specific IPs using static NAT? for ex, i would like to forward port 5060 and 10000-20000 to a server 192.168.1.22..
(2) how to apply access control to this static NAT ? for ex. i would like to deny specfic IPs from accessing it from public..
====================================================
interface ethernet 0
ip address 192.168.1.1 255.255.255.0
ip nat inside
[code]....
View 3 Replies
View Related
Nov 29, 2012
We are forced to rush a installation of a WLC 5508 various reasons in a testing lab. I eventually want to configure RADIUS and such but cannot do it at this immediate time. What I would like to do is implement straight forward MAC filtering. The problem I am having is the controller allows either any W LAN or only one W LAN, and a interface setting. I need to have each MAC be able to access several W LAN's but not all of them. Can anyone point me to a article or give me a quick idea of what I can do.I have basic W LAN's configured and have MAC filtering generally working. I cannot just use a user authentication because each user may have 20-30 devices, but not all of these devices should be allowed on all W LAN's and I do not want to rely on the user.
View 8 Replies
View Related
Jul 31, 2012
I try to map LDAP Group to ASA Group policy following documentation:
[URL]
This is a config for ASA 8.0. I would have expected it to work on 8.4 as well but I do run into problems. The mapping as shown in LDAP Debug and ASA Log will actually happen but it is overwritten by the "GPnoAccess" Group Policy configured locally in the Tunnel Group. From earlier works with RADIUS I would have expected the user specific Attribute to be "stronger"?
ASA Log:
AAA retrieved user specific group policy (correct Policy) for user = XXX
AAA retrieved default group policy (GPnoAccess) for user = XXX
View 3 Replies
View Related
Apr 6, 2013
Creating an Access Control List
View 2 Replies
View Related
Feb 16, 2013
We recently deployed ACS 5.3 on a VM, while the main purpose of implementation was to control access (authentication/authorization) on network devices; Can we use the same user to authenticate users' access to our wired network? So only users with a valid credentials on our Windows AD can have access to the network?
View 1 Replies
View Related
Dec 11, 2011
I have setup clientless SSL VPN on my ASA. User authentication is done by RADIUS using ACS 5.2, I have created two portal one for IT department and the other for auditing department but the user in auditing if the select IT group from the drop down list they can login to it, my question is how can I make them login to their group only and prevent them from accessing other groups ?
View 3 Replies
View Related
Mar 22, 2011
I have a D-Link DIR-615 and am trying to set up the Access Control so that I can restrict Internet connection from midnight till morning (to keep my teenage kids from staying up half the night on the Internet)I can step through the Access Control set up, but I don't see how I can block only one MAC address or computer from accessing the internet at specific times.
View 14 Replies
View Related
Oct 24, 2012
I have tried to setup access control by setting up a policy that restricts certain MAC addresses during a period during the day from certain websites. I set up the website filter and a schedule and selected them for the policy. Instead of blocking just the websites on the filter list during the time setup in the schedule, it blocks all websites all the time.I made sure that I setup the policy to 'block some access' NOT 'block all access'.The only thing that seems to work is that only the computers with the MAC address selected are effected.
View 3 Replies
View Related
Mar 2, 2010
I may be doing it incorrectly, but I'm trying to configure web access rules. I first set up access control and tell it to use the website filter. I've tried configuring it by both MAC address and IP address (separately, not simultaneously), but it still allows the listed sites in the web filter to get through. Is there something else I need to block or am I not doing something correctly? The network is on DHCP reservation, so IP addresses are always the same. MAC addresses, as I mentioned, don't work, either and they are fixed and logged in the router.
View 9 Replies
View Related
Dec 31, 2011
DIR655 with 1.33NA firmware. I'm trying to determine how to block access to the internet for a specific LAN computer when the user knows how to change a MAC address. I don't want to turn MAC control on and grant only to listed computers - the list doesn't accommodate enough MAC addresses, and the client has wireless and wired since it's a laptop. I also don't want to set static IPs on all of the devices since some cannot accommodate that feature.I'm thinking that reserving an IP address isn't ultimately the solution either, since assigning the IP isn't going to work if the MAC changes. how to use access control under these circumstances?
View 1 Replies
View Related
Apr 25, 2013
I've been working on an application recently that practice ACL configuration, and since finishing I figured it should be put on the internet as there wasnt much more work to do to make it suitable for a website. It allows you to practice both standard and extended ACL configuration by generating a random number of ACL actions for you to configure, and provides the correct config to compare yours against to see if you were correct. It also emulates a router at a very basic level to allow practice when there is no equipment available.
View 9 Replies
View Related
Dec 18, 2011
I have an extended acl on my VLAN interface in bound and it is working like I need it to, securing one side of my network from the other allowing only what I want from my desktops to my servers. The acls look something like this:
vlan70 -----> inbound acl (allows 80/443) ---> vlan100
I need vlan100 to have access to something on vlan70 now and I cannot get it to work. My question is would this work?
vlan70 -----> inbound acl (allows 80/443) ---> vlan100
vlan100 <----- outbound acl (allows 9100) <---- vlan70
Traffic is initiated from vlan100 not from vlan70 then back through so an established rule does not work. Also there are many more ports open in my inbound acl but this is simplified for ease of reading.I want to make sure if I place both an inbound and outbound rule on my vlan and that it is in the right place, both on the same vlan.
View 1 Replies
View Related
Feb 3, 2011
I have a sip gateway (AS5400) that is used to connect sip providers to our internal voice network.Internal gateway (10.1.1.2 LAN) -- SIP trunk -- AS5400 (10.1.1.3 LAN/ 8.23.23.43 WAN) -- SIP trunk -- Internet SIP Provider We encountered the following problem :A SIP call from internal gateway to the sip provider could establish but was muted on our side (sip provider could hear us)On the WAN interface of the AS5400, there is a ACL that filter traffic IN coming from SIP Provider
interface GigabitEthernet0/0
ip address 8.23.23.43 255.255.255.224
ip access-group 101 in
I log the deny on this ACL and I saw some udp packets denied with LAN addresses !*Mar 3 15:24:44.001: %SEC-6-IPACCESSLOGP: list 101 denied udp 10.1.1.3(0) -> 10.1.1.2 (0), 1 packet I did not bind anything on the sip config.When I changed the ACLs, calls went well.Why do I see LAN packets on the WAN interface ?
View 1 Replies
View Related
Aug 6, 2012
is there any method to control an access to the different WLAN(PEAP) on the same ACS 5.2 and WLC?That is, there is two AD groups the one have access to domain network only the other group have access to internet only and may be third group that have access to both networks.Currently if i add new authorization policy the user will have access to both networks.
View 1 Replies
View Related
Jul 15, 2012
I have been asked to allow our employees to connect their own devices to a open wireless network. I want to control access to preauthorized devices and I am looking for solutions. We do to have access to any other control devices like an ACS and I would like to archive the result using just the 5508 controller.
View 1 Replies
View Related
Jan 8, 2011
just i purchase cisco access point and I tried to access control panel to setup wireless security but the page i issued not display 192.168.1.245, there is any wayes to connet device web base ??
View 4 Replies
View Related
Mar 13, 2011
I am configuring an ASA 5520 for VPN access. Authorization & Authentication use an LDAP server. I have the tunneling configured successfully, and I can access internal resources. What I want to do now is to restrict access to a specific AD Group membership. In the absence of that group membership, a user should not be allowed access to the VPN.
My test VPN client software is Cisco Systems VPN Client Version 5.0.05.0290. The group authentication is configured into a Connection Entry that identifies the Tunnel Group. I think I worded that correctly.
The Software Version on the ASA is 8.3(1).
My current challenge is getting the VPN to stop letting every access request through regardless of group membership.
[URL]
The configuration (AAA LDAP, group policy, and tunnel group) is below.
aaa-server LDAP protocol ldapaaa-server LDAP (inside) host x.x.y.12 server-port 636 ldap-base-dn dc=domain,dc=com ldap-scope subtree ldap-naming-attribute sAMAccountName ldap-login-password ******** ldap-login-dn
[Code].....
View 2 Replies
View Related
Dec 12, 2012
I am having some issues with creating an ACL for my gateway router.I want to block external access to my network 192.168.1.0/24 from internet so i set up the ACL on the WAN port of my 7200 router asI am using named extened access list -
{
deny ip any 192.168.1.0 0.0.0.255 log
permit ip any any
}
and i applied this inbound accesslist on the WAN port of router as
"ip access-group acl-in in"
Now i have blocked the external traffic to my network 192.168.1.0/24 but the issue i am having is i am also unable to reach outside now. All i want is to block external traffic on the router WAN port but allow internal traffic to outside. Did i miss anything in the access list?
View 5 Replies
View Related
Jul 15, 2012
How to find out the upper limit of ACL on CISCO876-SEC-I-K9 router. How to measure performance parameter on the same as BGP is running on this router.
View 1 Replies
View Related
Oct 7, 2011
I have a WRVS4400N, and need to apply access control to an IPSec tunnel that terminates at a client site, but can't seem to make the device comply.
I can configure ACLs on their device for the LAN to restrict packets coming back into my network, and can restrict packets outbound frm my LAN but that is hardly a secure method of doing this in my opinion.
View 1 Replies
View Related
