Brandon,
Could you please suggest?
From: [email protected]
To: [email protected]; [email protected]
Subject: RE: [OSL | CCIE_Security] WEBVPN user restriction
Date: Sat, 8 May 2010 17:46:47 +0530
Thanks Tyson...
With the use of Group-lock command my both concerns have been resolved...
But today i practiced SSL VPN, for one of the device which needs to be
provided access through SSL VPN Web PAGE... which is behind another ASA... SSL
VPN page after authentication gives me connection failed server <ip>
unavailable.....
I configured folloing on the device(router)
ip http server
ip htp authentication local
username cisco priv 15 pass cisco
ASA1 is SSL VPN server... ASA2 is in front of router which needs to be provided
access throug SSL VPN WEBPAGE...
on ASA2 i opend tcp port 80 from any to router ip address..
Still i am unable to connect to the router... it says connection failed...
Any Suggestions?
From: [email protected]
To: [email protected]; [email protected]
Subject: RE: [OSL | CCIE_Security] WEBVPN user restriction
Date: Sat, 8 May 2010 01:02:56 +0530
but its not working...
i placed restriction on SECUREMENOT group policy... but it was allowing access
to both devcies...
my session will end in 10 minutes... i would try this again tommorrow...
Thanks Tyson.... :-)
Regards
Sumit Mahla
From: [email protected]
To: [email protected]; [email protected]
Subject: RE: [OSL | CCIE_Security] WEBVPN user restriction
Date: Fri, 7 May 2010 15:27:40 -0400
You only need the value.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio
Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S,
Voice, Security & Service Provider) certification(s) with training locations
throughout the United States, Europe, South Asia and Australia. Be sure to
visit our online communities at www.ipexpert.com/communities and our public
website at www.ipexpert.com
From: Sumit Mahla [mailto:[email protected]]
Sent: Friday, May 07, 2010 3:25 PM
To: [email protected]; [email protected]
Subject: RE: [OSL | CCIE_Security] WEBVPN user restriction
I think group-lock value <tunnel-group-name> would resolve one of my conditions
that user will only get autheticated for a particular tunnel...
but one thing is still a mistery to me... when i authenticate using a user...
the restriction applied by filter value are not coming in effect....
according to what i read in that ASA-all in one book.... function filter
enables the filtering... then we need to used filter value...
but i am not able to find function filter command...
From: [email protected]
To: [email protected]; [email protected]
Subject: RE: [OSL | CCIE_Security] WEBVPN user restriction
Date: Fri, 7 May 2010 15:17:25 -0400
Sorry re-read your question. Can see that you are using group-url's not
group-alias.
OK
To restrict the user
username cisco password cisco
username cisco attributes
group-lock value <tunnel-group-name>
vpn-group-policy <group>
You can also apply the filter here directly
username cisco attributes
webvpn
filter value <web-filter-name>
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio
Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S,
Voice, Security & Service Provider) certification(s) with training locations
throughout the United States, Europe, South Asia and Australia. Be sure to
visit our online communities at www.ipexpert.com/communities and our public
website at www.ipexpert.com
From: Sumit Mahla [mailto:[email protected]]
Sent: Friday, May 07, 2010 3:05 PM
To: [email protected]; [email protected]
Subject: RE: [OSL | CCIE_Security] WEBVPN user restriction
Please have a look at the attachement... i was trying to find the highlighted
command... but i do not find it in 8.0.
What if the question does not ask to configure the Group Alias....
I did the below config.... Actually what i under stand is that ASA follows
inheritance model...
when a web vpn connection lands on a tunnel group it looks for defaukt group
policy of that tunnel... and also the username associated withe the
tunnel...... so why when i land up on suppose tunnel group A then why does ASA
allow authentication by a user abc which is associated by the default group
policy of TUNNEL GROUP A
I hope i explained my question ?
http server enable
http redirect outside 80
webvpn
enable Outside
group-policy CISCOSECUREME internal
group-policy CISCOSECUREME attributes
banner value WELCOME CISCOSECUREME
vpn-tunnel-protocol webvpn
group-policy CISCOSECUREMENOT internal
group-policy CISCOSECUREMENOT attributes
banner value WELCOME CISCOSECUREME
vpn-tunnel-protocol webvpn
webvpn
filter value CISCOSECUREMENOT
username CISCOSECUREME password iYLaxQbYcoMRPmX6 encrypted
username CISCOSECUREME attributes
vpn-group-policy CISCOSECUREME
username CISCOSECUREMENOT password 8C5N48uk1NOyn08W encrypted
username CISCOSECUREMENOT attributes
vpn-group-policy CISCOSECUREMENOT
tunnel-group DefaultWEBVPNGroup general-attributes
default-group-policy CISCOSECUREME
tunnel-group DefaultWEBVPNGroup webvpn-attributes
group-url https://securemecisco.com enable
tunnel-group CISCOSECUREMENOT type remote-access
tunnel-group CISCOSECUREMENOT general-attributes
default-group-policy CISCOSECUREMENOT
tunnel-group CISCOSECUREME webvpn-attributes
group-url https://securemenot.cisco.com enable
access-list CISCOSECUREMENOT webtype permit tcp host 8.8.19.20 eq www
Regards
From: [email protected]
To: [email protected]; [email protected]
Subject: RE: [OSL | CCIE_Security] WEBVPN user restriction
Date: Fri, 7 May 2010 14:58:57 -0400
Yes. If you are doing it locally make sure to use the group-alias commands in
the tunnel group and the user will select the group. Next you would need to
add the attributes to the local users to restrict the groups they can
authenticate to.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio
Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S,
Voice, Security & Service Provider) certification(s) with training locations
throughout the United States, Europe, South Asia and Australia. Be sure to
visit our online communities at www.ipexpert.com/communities and our public
website at www.ipexpert.com
From: Sumit Mahla [mailto:[email protected]]
Sent: Friday, May 07, 2010 2:51 PM
To: [email protected]; [email protected]
Subject: RE: [OSL | CCIE_Security] WEBVPN user restriction
Is it not possible locally on ASA ?
I think the mistake i made is that to enable filter value... i need to first
enable filtering by using using fuction filter command...
Am i right ?
From: [email protected]
To: [email protected]; [email protected]
Subject: RE: [OSL | CCIE_Security] WEBVPN user restriction
Date: Fri, 7 May 2010 14:31:13 -0400
You have to enable group-alias's and assign them to the tunnel groups. Then
make sure you download the group-policy name from ACS to confirm the policies
the users should recieve.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio
Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S,
Voice, Security & Service Provider) certification(s) with training locations
throughout the United States, Europe, South Asia and Australia. Be sure to
visit our online communities at www.ipexpert.com/communities and our public
website at www.ipexpert.com
From: [email protected]
[mailto:[email protected]] On Behalf Of Sumit Mahla
Sent: Friday, May 07, 2010 2:24 PM
To: [email protected]
Subject: Re: [OSL | CCIE_Security] WEBVPN user restriction
i defined vpn-group-policy under username attributes... i also defined the
default group policy under tunnel group... and applied the webtype acl as
filter value in the group policy..
still the below given restrictions are not working..
From: [email protected]
To: [email protected]
Date: Fri, 7 May 2010 23:52:26 +0530
Subject: [OSL | CCIE_Security] WEBVPN user restriction
Hello All,
i want to restrict two particular users to 2 different tunnel-groups... And i
also want that these two tunnel group should have different group url...
Like if i one secureme.cisco.com only user ciscosecure should be able to
authenticate... and after authentication he shouls be able to able to access
any device
and if i access securemenot.cisco.com then user ciscosecuremenot should be able
to authenticate... and should only be able to access one device...
webvpn is working.... but the either of the two user's are able to access
through any of the group url and after authentication the filter acl is not
applying any restriction
Catch the changing security environment Get it now.
The latest auto launches and test drives Drag n' drop
Invest your money wisely post Budget Sign up now.
Catch the changing security environment Get it now.
The battle for the FIH Hockey World Cup Drag n' drop
All the post budget analysis and implications Sign up now.
All the post budget analysis and implications Sign up now.
_________________________________________________________________
South Cinema This Decade
http://entertainment.in.msn.com/southcinemathisdecade/_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
