Matt, As others have said. VPN-Filter will do the job.. however as Eugene pointed out, the ACL is tricky...... remember that SOURCE in the ACL is always REMOTE (no matter who is initiating the connection). Check this old email I wrote couple of months back. it will give you a link as well.
=================================== Antonio, I think you have guessed it right, i.e. VPN-Filter under group-policy. I usually put something like following in the vpn-filter acl. access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 gt 1023 192.168.x.x 255.255.0.0 eq XYZ. where 10.x.x.x is ssl vpn subnet and 192.168.x.x is on the core network/dmz/lan and XY is any service. the key about vpn-filter ACL is that..... remote addresses (i.e. SSL VPN address in your case) would always act as a source, even though there would be a chance that inside/core user would access any service on the remote address. For example, if you want to enable remote desktop functionatility from your core to the ssl users then the vpn-filter acl would like the following in addition to regular OUTBOUND ACL on the inside interface. access-list permit vpn-filter-group-1 permit tcp 10.x.x.x 255.255.255.0 eq 3389 192.168.x.x 255.255.0.0 gt 1023 see page 9 of the following link. http://www.cisco.com/image/gif/paws/99103/pix-asa-vpn-filter.pdf FNK. ================================================= FNK On Tue, May 1, 2012 at 7:03 PM, Eugene Pefti <[email protected]>wrote: > That's quite a workaround ;) > > > -----Original Message----- > From: Matt Hill [mailto:[email protected]] > Sent: 01 May 2012 15:35 > To: Eugene Pefti > Cc: Piotr Matusiak > Subject: Re: [OSL | CCIE_Security] AnyConnect per group ACLs > > How we got it to work was by using DAP, a new(ish) feature... > > We got the RADIUS to send the AD group to the ASA then the ASA applies an > ACL based on the received attribute from the RADIUS. > > Cheers for your help, > Matt > > On 20 April 2012 05:02, Eugene Pefti <[email protected]> wrote: > > And don't forget about the tricky logic of this ACL, Matt. > > > > The source are IP in VPN pool and destination are hosts protected by > > the firewall. > > > > > > > > Eugene > > > > > > > > > > > > From: [email protected] > > [mailto:[email protected]] On Behalf Of Piotr > > Matusiak > > Sent: 17 April 2012 22:33 > > To: Matt Hill > > Cc: CCIE Security Maillist > > Subject: Re: [OSL | CCIE_Security] AnyConnect per group ACLs > > > > > > > > Hi Matt, > > > > Use vpn-filter command when you can reference an extended ACL to > > filter the traffic per group. This command is under group-policy which > > is referenced to your tunnel-group. > > > > Regards, > > Piotr > > > > 2012/4/18 Matt Hill <[email protected]> > > > > Hi Everyone, > > > > I have a client who has a bunch of different user groups, lets call > > them GROUP_1, GROUP_2 & GROUP_3 each with different network access > > requirements & restrictions. > > > > The requirement is that if a user from GROUP_1 logs in, it gains > > network access defined in ACL_1, if a user from GROUP_2 logs in, then > > it gains access defined in ACL_2 and likewise for the third group. > > > > I am normally good with the Cisco Docs and Googleisms, but this time > > I'm not having a very good time trying to find what I am after. > > > > If anyone has a decent doco link or sample config I'd appreciate it. > > > > Cheers, > > Matt > > CCIE #22386 > > CCSI #31207 > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, > > please visit www.ipexpert.com > > > > Are you a CCNP or CCIE and looking for a job? Check out > > www.PlatinumPlacement.com > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
