Tuesday, September 17, 2013

Restricting VPN access cisco ASA

In this blog, we will look at 2  various methods to restrict a vpn user  access via a simple ACL.

The cisco ASA allows for ACLs;  that are group specific or user specific. User specific ACLs, over-rides any  group specific entries.

Take the user "user1", we want to allow him access to all host via ssh,  but not host 10.99.90.17. So crafting a  user specific ACL, and applying that  to the username will accomplish this task.

Here's the config;


show run username user1
username user1 password xaI3t+nY5wjYQ2thSKJfoQ== nt-encrypted
username user1 attributes
 vpn-group-policy  MANAGEMENT
 vpn-filter value user1ac
 memberof MGT



So upon access and success authentication, the acl name  user1ac, will control his access.

show run access-list user1ac
access-list user1ac extended deny tcp any host 10.99.90.17 eq ssh 
access-list user1ac extended permit tcp any any eq ssh 


Okay so let's test this out;

(ssh to 10.99.90.17 );



airjordan:~ kfelix$ ssh 10.99.90.17
ssh: connect to host 10.99.90.17  port 22: Operation timed out


Now let's ssh to another host;
( ssh to host 10.99.90.1)

airjordan:~ kfelix$ 
airjordan:~ kfelix$ ssh 10.99.90.1
Password: 
CSW1_2960>

Okay now, let's apply the same thing, but now to the vpn-group directly;


group-policy  MANAGEMENT attributes
 dns-server value 8.8.4.4 8.8.8.8
 vpn-filter value user1ac
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tun-managementonly
 default-domain value socpuppets.com
 user-authentication enable


So now you have seen 2 way to restrict users. VPN groups allows you to  execute group specific  ACLs or user specific.

NOTE: If you make changes to the group-policy,  user-attribute or  the access-list, it will not take place till after the user has disconnect and re-authenticate.



Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \

No comments:

Post a Comment