Tuesday, September 17, 2013

Restricting VPN access cisco ASA

In this blog, we will look at 2  various methods to restrict a vpn user  access via a simple ACL.

The cisco ASA allows for ACLs;  that are group specific or user specific. User specific ACLs, over-rides any  group specific entries.

Take the user "user1", we want to allow him access to all host via ssh,  but not host So crafting a  user specific ACL, and applying that  to the username will accomplish this task.

Here's the config;

show run username user1
username user1 password xaI3t+nY5wjYQ2thSKJfoQ== nt-encrypted
username user1 attributes
 vpn-group-policy  MANAGEMENT
 vpn-filter value user1ac
 memberof MGT

So upon access and success authentication, the acl name  user1ac, will control his access.

show run access-list user1ac
access-list user1ac extended deny tcp any host eq ssh 
access-list user1ac extended permit tcp any any eq ssh 

Okay so let's test this out;

(ssh to );

airjordan:~ kfelix$ ssh
ssh: connect to host  port 22: Operation timed out

Now let's ssh to another host;
( ssh to host

airjordan:~ kfelix$ 
airjordan:~ kfelix$ ssh

Okay now, let's apply the same thing, but now to the vpn-group directly;

group-policy  MANAGEMENT attributes
 dns-server value
 vpn-filter value user1ac
 vpn-tunnel-protocol ikev1 l2tp-ipsec ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tun-managementonly
 default-domain value socpuppets.com
 user-authentication enable

So now you have seen 2 way to restrict users. VPN groups allows you to  execute group specific  ACLs or user specific.

NOTE: If you make changes to the group-policy,  user-attribute or  the access-list, it will not take place till after the user has disconnect and re-authenticate.

Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
       /     \

No comments:

Post a Comment